Let's release 0.0.11.

git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4478 ed5197a5-7fde-0310-b194-c3ffbd925b24
OpenSSL 1.1.1w for Android.
2023-09-27 22:26:19 +00:00 · 2023-09-27 22:23:52 +00:00 · 2023-09-25 16:43:56 +00:00 · 2023-09-23 21:29:01 +00:00 · 2023-09-23 18:49:24 +00:00 · 2023-09-23 18:41:58 +00:00
16232 changed files with 19226 additions and 436276 deletions
--- a/10
+++ b/10
@ -3,9 +3,9 @@
 MAKEFLAGS += --warn-undefined-variables
 MAKEFLAGS += --no-builtin-rules

-VERSION_CODE := 10
-VERSION_NUMBER := 0.0.10
-VERSION_NAME := Pride is not the opposite of shame but its source.
+VERSION_CODE := 11
+VERSION_NUMBER := 0.0.11
+VERSION_NAME := Be nothing, and you will have everything to give to others.

 PROJECT = tildefriends
 BUILD_DIR ?= out
@ -121,6 +121,10 @@ $(APP_OBJS): CFLAGS += \
 	-Ideps/xopt \
 	-Wdouble-promotion \
 	-Werror
+ifeq ($(UNAME_M),x86_64)
+$(filter-out $(BUILD_DIR)/android%,$(APP_OBJS)): CFLAGS += \
+	-fanalyzer
+endif

 BLOWFISH_SOURCES := \
 	deps/crypt_blowfish/crypt_blowfish.c \
--- a/apps/admin/script.js
+++ b/apps/admin/script.js
@ -29,7 +29,7 @@ window.addEventListener('load', function() {
 					<label for=${'gs_' + key} style="font-weight: bold">${key}: </label>
 					<div>
 						<input type="checkbox" ?checked=${description.value} id=${'gs_' + key}></input>
-						<button @click=${(e) => global_settings_set(key, e.srcElement.parentElement.previousElementSibling.checked)}>Set</button>
+						<button @click=${(e) => global_settings_set(key, e.srcElement.previousElementSibling.checked)}>Set</button>
 						<div>${description.description}</div>
 					</div>
 				</div>
@ -42,7 +42,7 @@ window.addEventListener('load', function() {
 						<div style="width: 90%; padding: 0 margin: 0">
 							<textarea style="vertical-align: top; width: 100%" rows=20 cols=80 id=${'gs_' + key}>${description.value}</textarea>
 						</div>
-						<button @click=${(e) => global_settings_set(key, e.srcElement.parentElement.previousElementSibling.value)}>Set</button>
+						<button @click=${(e) => global_settings_set(key, e.srcElement.previousElementSibling.firstElementChild.value)}>Set</button>
 						<div>${description.description}</div>
 					</div>
 				</div>
@ -53,7 +53,7 @@ window.addEventListener('load', function() {
 					<label for=${'gs_' + key} style="font-weight: bold">${key}: </label>
 					<div>
 						<input type="text" value="${description.value}" id=${'gs_' + key}></input>
-						<button @click=${(e) => global_settings_set(key, e.srcElement.parentElement.previousElementSibling.value)}>Set</button>
+						<button @click=${(e) => global_settings_set(key, e.srcElement.previousElementSibling.value)}>Set</button>
 						<div>${description.description}</div>
 					</div>
 				</div>
--- a/apps/api/app.js
+++ b/apps/api/app.js
--- a/apps/api/docs.js
+++ b/apps/api/docs.js
@ -0,0 +1,313 @@
+export const docs = {};
+
+docs.global = `# Tilde Friends API Documentation
+
+Welcome to the Tilde Friends API documentation.
+
+ * [App Globals](#App_Globals)
+ * [Database Interface](#Database)
+ * [Remote Procedure Calls](#tfrpc)
+
+<a id="App_Globals"></a>
+## <span style="color: #aaf">App Globals</span>
+The following are functions and values exposed to all apps in their \`app.js\` or \`handler.js\`.  Most
+of these are asynchronous, returning a \`Promise\` that will be resolved when the call completes, unless
+noted otherwise.
+
+This is all a work in progess. These are liable to change without warning.  Feedback is welcome.
+
+The exposed functions in this API balance multiple competing needs:
+ * The surface area of the exposed API ought to be fairly minimal.  If something can be implemented entirely app-side, that is
+   generally preferred over building it into the core.
+ * Everything is built on this API.  Ideally the admin app, the SSB app, and the editor all use standard API exposed to all
+   apps, with appropriate permission guards in place making it so that only trusted apps do potentially destructive operations.
+   There will be some things here that aren't necessarily general use to support what's required.
+
+If you are looking at the [Tilde Friends source code](https://www.tildefriends.net/~cory/releases/),
+the vast majority of these are implemented in \`src/*.js.c\` files, and exposed to apps via \`core/core.js\`.
+`;
+
+docs['core.user.credentials.session.name'] = `
+*String* The name of the authenticated user.
+`;
+
+docs['app.setDocument()'] = `
+Set the contents of the client &lt;iframe/&gt;.
+### Parameters
+ * *String* **html** The HTML contents.
+`;
+
+docs['ssb.sqlAsync()'] = `
+Run an SQL query against the sqlite database.
+### Parameters
+ * *String* **query** The sqlite query.
+ * *Array* **args** The query arguments to bind.
+ * *Function* **callback** Callback called for each row result.
+`;
+
+docs['ssb.appendMessageWithIdentity()'] = `
+Signs and stores a message in the SSB database.
+### Parameters
+ * *String* **id** The public key of an SSB identity owned by the authenticated user.
+ * *Object* **message** The unsigned message.
+`;
+
+docs['ssb.storeMessage()'] = `
+Verifies and stores a signed message in the SSB database.
+### Parameters
+ * *Object* **message** The valid, signed message to store.
+`;
+
+docs['ssb.blobStore()'] = `
+Store a blob in the SSB database.
+### Parameters
+ * *String*/*Uint8Array* **blob** The blob contents to store
+### Returns
+*String* The stored blob ID.
+`;
+
+docs['ssb.blobGet()'] = `
+Fetches a blob from the database.
+### Parameters
+ * *String* **blob_id** The blob identifier to fetch (\`&....sha256\`).
+### Returns
+*ArrayBuffer* The blob data.
+`;
+
+docs['print()'] = `
+Log debug information both to the server's console and to the visiting user's browser console when possible.
+### Parameters
+ * **...** Whatever you want to log.  Will be joined with spaces.
+`;
+
+docs['database()'] = `
+Returns a database instance that is specific to the authenticated user and the given key.
+### Parameters
+ * *String* **key** The database key.
+### Returns
+ *Database* A database.
+`;
+
+docs['my_shared_database()'] = `
+Returns a database instance that is specific to the authenticated user and the given key.
+### Parameters
+ * *String* **package_name** The database package name.
+ * *String* **key** The database key.
+### Returns
+*Database* A database.
+`;
+
+docs['shared_database()'] = `
+Returns a database instance that is shared between all users of the app, determined by its owner and app name.
+### Parameters
+ * *String* **key** The database key.
+### Returns
+*Database* A database.
+`;
+
+docs['base64Decode()'] = `
+Decode a base64 string to bytes.
+
+Completes synchronously.
+### Parameters
+ * *String* value The base64-encoded string.
+### Returns
+*Uint8Array* The decoded bytes.
+`;
+
+docs['base64Encode()'] = `
+Encode bytes to a base64 string.
+
+Completes synchronously.
+### Parameters
+ * *Uint8Array* The bytes to encode.
+### Returns
+*String* The base64-encoded string.
+`;
+
+docs['utf8Decode()'] = `
+Decode UTF-8 bytes to a string.
+
+Completes synchronously.
+### Parameters
+ * *Uint8Array* **value** The value to decode.
+### Returns
+*String* The value as a string.
+`;
+
+docs['utf8Encode()'] = `
+Encodes a string to UTF-8 bytes.
+
+Completes synchronously.
+### Parameters
+ * *String* **value** The value to encode.
+### Returns
+*Uint8Array* The encoded \`value\`.
+`;
+
+docs['setTimeout()'] = `
+Call a function after some delay.
+### Parameters
+ * *Function* **callback** The function to call.
+ * *Number* **timeout** Number of milliseconds to wait before calling the callback function.
+`;
+
+docs['parseHttpRequest()'] = `
+Parses an HTTP request.
+### Parameters
+ * *Uint8Array* **request** The request data.  Maybe be partial or contain extra data.  The return value will
+    indicate when and where it is complete.
+ * *Number* **last_length** The length of the data passed on a previous attempt for the same request, or 0 initially.
+### Returns
+ * *Integer* **-2** if the request is incomplete.
+ * *Integer* **-1** if the request could not be parsed.
+ * *Object* An object with **bytes_parsed**, **minor_version**, **path**, and **headers** fields on successful parse.
+`;
+
+docs['parseHttpResponse()'] = `
+Parses an HTTP response.
+### Parameters
+ * *Uint8Array* **response** The response data.  Maybe be partial or contain extra data.  The return value will
+    indicate when and where it is complete.
+ * *Number* **last_length** The length of the data passed on a previous attempt for the same response, or 0 initially.
+### Returns
+ * *Integer* **-2** if the response is incomplete.
+ * *Integer* **-1** if the response could not be parsed.
+ * *Object* An object with **bytes_parsed**, **minor_version**, **status**, **message**, and **headers** fields on successful parse.
+`;
+
+docs['sha1Digest()'] =`
+Calculates a SHA1 digest.
+
+Completes synchronously.
+### Parameters
+ * *String* **value** The value for which to calculate the digest.
+### Returns
+*String* The SHA1 digest of UTF-8 encoded \`value\`.
+`;
+
+docs['maskBytes()'] = `
+Masks bytes for WebSocket communication.
+
+Completes synchronously.
+### Parameters
+ * *Uint8Array* **bytes** The byte array of data to mask.
+ * *Uint32* **mask** The mask to apply.
+### Returns
+*Uint32Array* The masked bytes.
+`;
+
+docs['exit()'] = `
+Exits the app.  But why would you want to do that?
+
+Completes synchronously.
+### Parameters
+ * *Integer* **exit_code** System exit code.
+`;
+
+docs['version()'] = `
+Gets version information for the running server.
+### Returns
+*Object* Keys are things like \`name\` and \`number\` for the server itself and \`libuv\` and \`openssl\` for
+dependencies.  Values are *String* version numbers.
+`;
+
+docs['platform()'] = `
+Gets the host operating system platform of the running server.
+### Returns
+*String* The platform, one of \`windows\`, \`android\`, \`linux\`, or \`other\`.
+`;
+
+docs['getFile()'] = `
+Gets a file from the running app.
+### Parameters
+ * *String* **name** Name of the file to retrieve.
+### Returns
+*Uint8Array* The contents of a file from the app with the given name, or *undefined*.
+`;
+
+docs.database = `
+# <span style="color: #aaf">Database</span>
+Local-only storage is provided by a \`Database\` type representing a key-value store.
+`;
+
+docs['database.get()'] = `
+Gets a value from the database.
+### Parameters
+ * *String* **key** The key.
+### Returns
+*String* The value from the database or undefined if not found.
+`;
+
+docs['database.getAll()'] = `
+Gets all keys from the database.
+### Returns
+*Array* An array of *String* key names for all keys in the given database.
+`;
+
+docs['database.getLike()'] = `
+Gets all keys and values from the database matching a pattern.
+### Parameters
+ * *String* **pattern** An sqlite \`LIKE\` pattern to match keys against.
+### Returns
+*Object* An object whose keys are the database keys and values are the database values that match the given pattern.
+`;
+
+docs['database.set()'] = `
+Sets a value in the database, creating a new entry or replacing an existing entry.
+### Parameters
+ * *String* **key** The key.
+ * *String* **value** The value.
+`;
+
+docs['database.exchange()'] = `
+Performs an atomic compare and exchange operation, setting a value in the database only if its current value matches what is expected.
+### Parameters
+ * *String* **key** The key.
+ * *String* **expected** The expected value.
+ * *String* **value** The new value.
+ ### Returns
+ *Boolean* true if the value is now the given value.
+`;
+
+docs['database.remove()'] = `
+Removes an entry from the database if it exists.
+### Parameters
+ * *String* **key** The key.
+`;
+
+docs.tfrpc = `
+# <span style="color: #aaf" id="tfrpc">tfrpc</span>
+\`tfrpc.js\` is a small helper script that is available to be used to facilitate communication between parts of an application.
+
+\`tfrpc.js\` can be used to asynchronously make calls between the app code running in a sandboxed iframe in the browser
+and the app process on the server.
+
+From \`app.js\`:
+\`\`\`
+import * as tfrpc from '/tfrpc.js';
+\`\`\`
+
+
+From script running in the browser:
+\`\`\`
+import * as tfrpc from '/static/tfrpc.js';
+\`\`\`
+
+Either side can register or call functions, though they must be registered before they can be called.  Arguments and return
+values are ultimately serialized by means that attempt to preserve most JSON-serializable values as well as functions themselves.
+`;
+
+docs['tfrpc.register()'] = `
+Register a function, allowing it to be called remotely.
+### Parameters
+ * *Function* **function** The function to register.  Its name will be how it will be called.
+`;
+
+docs['tfrpc.rpc.*()'] = `
+Call a remote function.
+### Parameters
+ * **...** Parameters to pass to the function.
+### Returns
+The return value of the called function.
+`;
--- a/apps/gg/app.js
+++ b/apps/gg/app.js
@ -8,6 +8,7 @@ tfrpc.register(async function createIdentity() {
 	return ssb.createIdentity();
 });
 tfrpc.register(async function appendMessage(id, message) {
+	print('APPEND', JSON.stringify(message));
 	return ssb.appendMessageWithIdentity(id, message);
 });
 tfrpc.register(function url() {
--- a/apps/gg/handler.js
+++ b/apps/gg/handler.js
@ -1,12 +1,13 @@
 import * as strava from './strava.js';

 async function main() {
+	print('handler running');
 	let r = await strava.authorization_code(request.query.code);
 	print('state =', request.query.state);
 	print('body = ', r.body);
 	if (request.query.state && r.body) {
 		let shared_db = await shared_database('state');
-		await shared_db.set(request.query.state, r.body);
+		await shared_db.set(request.query.state, utf8Decode(r.body));
 	}
 	await respond({
 		data: r.body,
--- a/apps/gg/index.html
+++ b/apps/gg/index.html
@ -6,11 +6,9 @@
 			let g_data = ${data};
 		</script>
 		<script src="script.js" type="module"></script>
-		<link rel="stylesheet" href="leaflet.css"/>
 		<script src="leaflet.js"></script>
 	</head>
 	<body style="color: #fff; display: flex; flex-flow: column; height: 100%; width: 100%; margin: 0; padding: 0">
-		<gg-app style="flex: 0 1 auto; overflow: scroll"></gg-app>
-		<div id="map" style="flex: 1 0"></div>
+		<gg-app style="width: 100%; height: 100%" id="ggapp"></gg-app>
 	</body>
 </html>
--- a/apps/gg/leaflet.js.map
+++ b/apps/gg/leaflet.js.map
--- a/apps/gg/script.js
+++ b/apps/gg/script.js
@ -14,6 +14,15 @@ const k_color_pavement = [32, 32, 32, 255];
 const k_color_grass = [0, 255, 0, 255];
 const k_color_default = [128, 128, 128, 255];

+const k_store = {
+	'🦞': 15,
+	'🛶': 10,
+	'🏠': 10,
+	'⛰': 10,
+};
+
+const k_marker_snap = {x: 5, y: 1};
+
 class GgAppElement extends LitElement {
 	static get properties() {
 		return {
@ -22,8 +31,12 @@ class GgAppElement extends LitElement {
 			activities: {type: Array},
 			activity: {type: Object},
 			world: {type: Object},
-			id: {type: String},
+			whoami: {type: String},
 			status: {type: Object},
+			tab: {type: String},
+			url: {type: String},
+			currency: {type: Number},
+			to_build: {type: String},
 		};
 	}

@ -32,20 +45,25 @@ class GgAppElement extends LitElement {
 		this.activities = [];
 		this.activity = {};
 		this.loaded_activities = [];
+		this.placed_emojis = [];
 		this.strava = {};
 		this.min_lat = Number.MAX_VALUE;
 		this.min_lon = Number.MAX_VALUE;
 		this.max_lat = -Number.MAX_VALUE;
 		this.max_lon = -Number.MAX_VALUE;
+		this.focus = undefined;
 		this.status = undefined;
+		this.tab = 'map';
 		this.load().catch(function(e) {
 			console.log('load error', e);
 		});
+		this.to_build = '🏠';
 	}

 	async load() {
 		console.log('load');
 		this.user = await tfrpc.rpc.getUser();
+		this.url = (await tfrpc.rpc.url()).split('?')[0];
 		try {
 			await this.update_credentials();
 		} catch (e) {
@ -57,17 +75,35 @@ class GgAppElement extends LitElement {
 			console.log('update_activities failed', e);
 		}
 		await this.acquire_ssb_identity();
-		if (this.id && this.activities?.length) {
+		if (this.whoami && this.activities?.length) {
 			await this.sync_activities();
 		}
 		await this.get_activities_from_ssb();
 	}

+	/* https://gist.github.com/jcouyang/632709f30e12a7879a73e9e132c0d56b?permalink_comment_id=3591045#gistcomment-3591045 */
+	async promise_all(promises, max_concurrent) {
+		let index = 0;
+		let results = [];
+		async function exec_thread() {
+			while (index < promises.length) {
+				const current = index++;
+				results[current] = await promises[current];
+			}
+		}
+		const threads = [];
+		for (let thread = 0; thread < max_concurrent; thread++) {
+			threads.push(exec_thread());
+		}
+		await Promise.all(threads);
+		return results;
+	}
+
 	async get_activities_from_ssb() {
 		this.status = {text: 'loading activities'};
 		this.loaded_activities = [];
-		let blob_ids = await tfrpc.rpc.query(`
-			SELECT json_extract(mention.value, '$.link') AS blob_id
+		let rows = await tfrpc.rpc.query(`
+			SELECT messages.author, json_extract(mention.value, '$.link') AS blob_id
 			FROM messages_fts('"gg-activity"')
 			JOIN messages ON messages.rowid = messages_fts.rowid,
 				json_each(messages.content, '$.mentions') as mention
@ -75,15 +111,49 @@ class GgAppElement extends LitElement {
 			json_extract(mention.value, '$.name') = 'activity_data'
 			ORDER BY messages.timestamp DESC
 		`, []);
-		for (let [index, row] of blob_ids.entries()) {
-			this.status = {text: 'loading activity data', value: index, max: blob_ids.length};
-			let blob = await tfrpc.rpc.get_blob(row.blob_id);
+		this.status = {text: 'loading activity data'};
+		let authors = rows.map(x => x.author);
+		let blobs = await this.promise_all(rows.map(x => tfrpc.rpc.get_blob(x.blob_id)), 8);
+		this.status = {text: 'processing activity data'};
+		for (let [index, blob] of blobs.entries()) {
+			let activity;
 			try {
-				this.loaded_activities.push(JSON.parse(blob));
+				activity = JSON.parse(blob);
 			} catch {
-				this.loaded_activities.push(gpx_parse(blob));
+				activity = gpx_parse(blob);
+			}
+			if (activity) {
+				activity.author = authors[index];
+				this.loaded_activities.push(activity);
 			}
 		}
+		this.status = {text: 'calculating balance'};
+		rows = await tfrpc.rpc.query(`
+			SELECT count(*) AS currency FROM messages WHERE author = ? AND json_extract(content, '$.type') = 'gg-activity'
+		`, [this.whoami]);
+		let currency = rows[0].currency;
+		rows = await tfrpc.rpc.query(`
+			SELECT SUM(json_extract(content, '$.cost')) AS cost FROM messages WHERE author = ? AND json_extract(content, '$.type') = 'gg-place'
+		`, [this.whoami]);
+		let spent = rows[0].cost;
+		this.currency = currency - spent;
+		this.status = {text: 'getting placed emojis'};
+		rows = await tfrpc.rpc.query(`
+			SELECT messages.content
+			FROM messages_fts('"gg-place"')
+			JOIN messages ON messages.rowid = messages_fts.rowid
+			WHERE json_extract(messages.content, '$.type') = 'gg-place'
+			ORDER BY messages.timestamp
+		`);
+		for (let row of rows) {
+			console.log(row.content);
+			let content = JSON.parse(row.content);
+			this.placed_emojis.push({
+				position: content.position,
+				emoji: content.emoji,
+			});
+		}
+		console.log(this.placed_emojis);
 		this.status = undefined;
 		this.update_map();
 	}
@ -101,7 +171,7 @@ class GgAppElement extends LitElement {
 			SELECT from_strava.value FROM json_each(?) AS from_strava
 			LEFT OUTER JOIN my_activities ON from_strava.value = my_activities.url
 			WHERE my_activities.url IS NULL
-			`, [this.id, JSON.stringify(ids)]);
+			`, [this.whoami, JSON.stringify(ids)]);
 		console.log('missing = ', missing);
 		for (let [index, row] of missing.entries()) {
 			this.status = {text: 'syncing from strava', value: index, max: missing.length};
@ -127,7 +197,7 @@ class GgAppElement extends LitElement {
 					}
 				],
 			};
-			await tfrpc.rpc.appendMessage(this.id, message);
+			await tfrpc.rpc.appendMessage(this.whoami, message);
 		}
 		this.status = undefined;
 	}
@ -146,16 +216,16 @@ class GgAppElement extends LitElement {
 			ORDER BY timestamp DESC limit 1
 			`, [JSON.stringify(ids)])).map(row => row.author) : [];
 		if (!players.length) {
-			this.id = await tfrpc.rpc.createIdentity();
-			if (this.id) {
-				await tfrpc.rpc.appendMessage(this.id, {
+			this.whoami = await tfrpc.rpc.createIdentity();
+			if (this.whoami) {
+				await tfrpc.rpc.appendMessage(this.whoami, {
 					type: 'gg-player',
 					active: true,
 				});
 			}
 		} else {
 			players.sort();
-			this.id = players[0];
+			this.whoami = players[0];
 		}
 	}

@ -249,9 +319,94 @@ class GgAppElement extends LitElement {
 		};
 	}

+	on_click(event) {
+		let popup = L.popup()
+			.setLatLng(event.latlng)
+			.setContent(`
+				<div><a target="_top" href="https://www.google.com/maps/search/?api=1&query=${event.latlng.lat},${event.latlng.lng}">${event.latlng.lat}, ${event.latlng.lng}</a></div>
+			`)
+			.openOn(this.leaflet);
+	}
+
+	async build() {
+		if (this.popup) {
+			this.popup.remove();
+		}
+		if (!this.marker) {
+			return;
+		}
+		let latlng = this.marker.getLatLng();
+
+		let cost = k_store[this.to_build];
+		if (cost > this.currency) {
+			alert('Insufficient funds.');
+			return;
+		}
+		let message = {
+			type: 'gg-place',
+			position: {lat: latlng.lat, lng: latlng.lng},
+			emoji: this.to_build,
+			cost: cost,
+		};
+		let id = await tfrpc.rpc.appendMessage(this.whoami, message);
+		this.marker.remove();
+		this.placed_emojis.push({
+			position: {lat: latlng.lat, lng: latlng.lng},
+			emoji: this.to_build,
+		});
+		this.currency -= cost;
+		return this.update_map();
+	}
+
+	on_marker_click(event) {
+		this.popup = L.popup()
+			.setLatLng(event.latlng)
+			.setContent(`
+				${this.to_build} (-${k_store[this.to_build]}) <input type="button" value="Build" onclick="document.getElementById('ggapp').build()"></input>
+			`)
+			.openOn(this.leaflet);
+	}
+
+	snap_to_grid(latlng, fudge) {
+		let position = this.leaflet.options.crs.latLngToPoint(latlng, this.leaflet.getZoom());
+		position.x = Math.round(position.x / 16) * 16 + (fudge?.x ?? 0);
+		position.y = Math.round(position.y / 16) * 16 + (fudge?.y ?? 0);
+		position = this.leaflet.options.crs.pointToLatLng(position, this.leaflet.getZoom());
+		return position;
+	}
+
+	on_marker_move(event) {
+		if (!this.no_snap && this.marker) {
+			this.no_snap = true;
+			this.marker.setLatLng(this.snap_to_grid(this.marker.getLatLng(), k_marker_snap));
+			this.no_snap = false;
+		}
+	}
+
+	on_mouse_down(event) {
+		if (this.marker) {
+			this.marker.remove();
+			this.marker = undefined;
+		}
+
+		if (this.to_build) {
+			this.marker = L.marker(this.snap_to_grid(event.latlng, k_marker_snap), {icon: L.divIcon({className: 'build-icon'}), draggable: true}).addTo(this.leaflet);
+			this.marker.on({click: this.on_marker_click.bind(this)});
+			this.marker.on({drag: this.on_marker_move.bind(this)});
+		}
+	}
+
 	async update_map() {
+		let map = this.shadowRoot.getElementById('map');
+		if (!map || !this.loaded_activities.length) {
+			this.leaflet = undefined;
+			this.grid_layer = undefined;
+			return;
+		}
 		if (!this.leaflet) {
-			this.leaflet = L.map('map', {attributionControl: false, maxZoom: 16, bounceAtZoomLimits: false});
+			this.leaflet = L.map(map, {attributionControl: false, maxZoom: 16, bounceAtZoomLimits: false});
+			this.leaflet.on({contextmenu: this.on_click.bind(this)});
+			this.leaflet.on({click: this.on_mouse_down.bind(this)});
 		}
 		let self = this;
 		let grid_layer = L.GridLayer.extend({
@ -266,9 +421,6 @@ class GgAppElement extends LitElement {
 				let degrees = 360.0 / (2 ** coords.z);
 				let ul = bounds.getNorthWest();
 				let lr = bounds.getSouthEast();
-				//context.fillText(JSON.stringify(coords), 0, 12);
-				//context.fillText(`${Math.round(ul.lat * 100) / 100} ${Math.round(ul.lng * 100) / 100}`, 0, 24);
-				//context.fillText(`${Math.round(lr.lat * 100) / 100} ${Math.round(lr.lng * 100) / 100}`, 0, 36);

 				let mini = document.createElement('canvas');
 				mini.width = Math.floor(size.x / 16.0);
@ -278,16 +430,27 @@ class GgAppElement extends LitElement {
 				for (let activity of self.loaded_activities) {
 					self.draw_activity_to_tile(image_data, mini.width, mini.height, ul, lr, activity);
 				}
-				//mini_context.putImageData(image_data, 0, 0);
+				context.textAlign = 'left';
+				context.textBaseline = 'top';
 				for (let x = 0; x < mini.width; x++) {
 					for (let y = 0; y < mini.height; y++) {
 						let start = (y * mini.width + x) * 4;
 						let pixel = self.color_to_emoji(image_data.data.slice(start, start + 4));
 						if (pixel) {
-							context.fillText(pixel, x * size.x / mini.width, y * size.y / mini.height + 10);
+							context.fillText(pixel, x * size.x / mini.width, y * size.y / mini.height);
 						}
 					}
 				}
+				for (let placed of self.placed_emojis) {
+					let position = self.leaflet.options.crs.latLngToPoint(self.snap_to_grid(placed.position), coords.z);
+					let tile_x = Math.floor(position.x / size.x);
+					let tile_y = Math.floor(position.y / size.y);
+					position.x = position.x - tile_x * size.x;
+					position.y = position.y - tile_y * size.y;
+					if (tile_x == coords.x && tile_y == coords.y) {
+						context.fillText(placed.emoji, position.x, position.y);
+					}
+				}
 				return tile;
 			}
 		});
@ -304,11 +467,19 @@ class GgAppElement extends LitElement {
 			this.max_lat = Math.max(this.max_lat, bounds.max.lat);
 			this.max_lon = Math.max(this.max_lon, bounds.max.lng);
 		}
+		if (this.focus) {
+			this.leaflet.fitBounds([
+				this.focus.min,
+				this.focus.max,
+			]);
+			this.focus = undefined;
+		} else {
 			this.leaflet.fitBounds([
 				[this.min_lat, this.min_lon],
 				[this.max_lat, this.max_lon],
 			]);
 		}
+	}

 	activity_to_color(activity) {
 		let color = [0, 0, 0, 255];
@ -483,8 +654,8 @@ class GgAppElement extends LitElement {
 					}
 				],
 			};
-			console.log('id =', this.id, 'message = ', message);
-			let id = await tfrpc.rpc.appendMessage(this.id, message);
+			console.log('id =', this.whoami, 'message = ', message);
+			let id = await tfrpc.rpc.appendMessage(this.whoami, message);
 			console.log('appended message', id);
 			alert('Activity uploaded.');
 			await this.get_activities_from_ssb();
@ -500,31 +671,119 @@ class GgAppElement extends LitElement {
 		input.click();
 	}

-	render() {
-		if (!this.user?.credentials?.session?.name) {
-			return html`<div>Please <a target="_top" href="/login">login</a> to Tilde Friends, first.</div>`;
+	updated() {
+		this.update_map();
 	}
-		if (!this.strava?.access_token) {
-			let strava_url = `https://www.strava.com/oauth/authorize?client_id=${k_client_id}&redirect_uri=${k_redirect_url}&response_type=code&approval_prompt=auto&scope=activity%3Aread&state=${g_data.state}`;
+
+	focus_map(activity) {
+		let bounds = this.activity_bounds(activity);
+		if (bounds.min.lat < bounds.max.lat &&
+			bounds.min.lng < bounds.max.lng) {
+			this.tab = 'map';
+			this.focus = bounds;
+		}
+	}
+
+	render_news() {
 		return html`
-				<div style="display: flex; flex-direction: row; align-items: center; gap: 1em; width: 100%">
-					<div style="flex: 1 1">Please <a target="_top" href=${strava_url}>login</a> to Strava.</div>
-					<span style="font-size: xx-small; flex: 1 1; word-break: break-all">${this.id}</span>
-					<input type="button" value="📁" @click=${this.upload}></input>
+			<ul>
+				${this.loaded_activities.map(x => html`
+					<li style="cursor: pointer" @click=${() => this.focus_map(x)}>${x.author} ${x.name ?? x.time}</li>
+				`)}
+			</ul>
+		`;
+	}
+
+	render_store_item(item) {
+		let [emoji, cost] = item;
+		return html`
+			<div>
+				<input type="button" value="${emoji}" @click=${() => this.to_build = emoji}></input> ${cost} ${emoji == this.to_build ? '<-- Will be built next' : undefined}
 			</div>
 		`;
 	}

+	render_store() {
 		return html`
+			<h2>Store</h2>
+			<div><b>Your balance:</b> ${this.currency}</div>
+			${Object.entries(k_store).map(this.render_store_item.bind(this))}
+		`;
+	}
+
+	render() {
+		let header;
+		if (!this.user?.credentials?.session?.name) {
+			header = html`<div style="flex: 1 0">Please <a target="_top" href="/login?return=${this.url}">login</a> to Tilde Friends, first.</div>`;
+		} else if (!this.strava?.access_token) {
+			let strava_url = `https://www.strava.com/oauth/authorize?client_id=${k_client_id}&redirect_uri=${k_redirect_url}&response_type=code&approval_prompt=auto&scope=activity%3Aread&state=${g_data.state}`;
+			header = html`
+				<div style="flex: 1 0; display: flex; flex-direction: row; align-items: center; gap: 1em; width: 100%">
+					<div style="flex: 1 1">Please <a target="_top" href=${strava_url}>login</a> to Strava.</div>
+					<span style="font-size: xx-small; flex: 1 1; word-break: break-all">${this.whoami}</span>
+					<input type="button" value="📁" @click=${this.upload}></input>
+				</div>
+			`;
+		} else {
+			header = html`
 				<div>
-				<div style="display: flex; flex-direction: row; align-items: center; gap: 1em; width: 100%">
+					<div style="flex: 1 0; display: flex; flex-direction: row; align-items: center; gap: 1em; width: 100%">
 						<h1>Welcome, ${this.user.credentials.session.name}</h1>
-					<span style="font-size: xx-small; flex: 1 1; word-break: break-all">${this.id}</span>
+						<span style="font-size: xx-small; flex: 1 1; word-break: break-all">${this.whoami}</span>
 						<input type="button" value="📁" @click=${this.upload}></input>
 					</div>
 					<h3 ?hidden=${!this.status?.text}>${this.status?.text} <progress ?hidden=${!this.status?.max} value=${this.status?.value} max=${this.status?.max}>${this.status?.value}</progress></h3>
 				</div>
 			`;
 		}
+
+		let navigation = html`
+			<style>
+				#navigation input[type="button"] {
+					min-width: 3em;
+					min-height: 3em;
+					flex: 1 0;
+					font-size: large;
+				}
+			</style>
+			<div id="navigation" style="display: flex; flex-direction: row">
+				<input type="button" id="button_map" @click=${() => this.tab = 'map'} value="🗺️Map"></input>
+				<input type="button" id="button_news" @click=${() => this.tab = 'news'} value="🏃News"></input>
+				<input type="button" id="button_friends" @click=${() => this.tab = 'friends'} value="👫Friends"></input>
+				<input type="button" id="button_store" @click=${() => this.tab = 'store'} value="🏗️Store"></input>
+			</div>
+		`;
+
+		let content;
+		switch (this.tab) {
+			case 'map':
+				content = html`<div id="map" style="width: 100%; height: 100%"></div>`;
+				break;
+			case 'news':
+				content = this.render_news();
+				break;
+			case 'friends':
+				content = html`<div>Friends</div>`;
+				break;
+			case 'store':
+				content = this.render_store();
+				break;
+		}
+
+		return html`
+			<style>
+			.build-icon::before {
+				content: '📍';
+				border: 2px solid red;
+			}
+			</style>
+			<link rel="stylesheet" href="leaflet.css"/>
+			<div style="width: 100%; height: 100%; display: flex; flex-direction: column">
+				${header}
+				<div style="flex: 1 0; overflow: scroll">${content}</div>
+				${navigation}
+			</div>
+		`;
+	}
 }
 customElements.define('gg-app', GgAppElement);
--- a/apps/issues.json
+++ b/apps/issues.json
@ -0,0 +1,4 @@
+{
+  "type": "tildefriends-app",
+  "emoji": "🦟"
+}
--- a/apps/issues/app.js
+++ b/apps/issues/app.js
@ -0,0 +1,105 @@
+import * as tfrpc from '/tfrpc.js';
+
+let g_database;
+let g_hash;
+
+tfrpc.register(async function localStorageGet(key) {
+	return app.localStorageGet(key);
+});
+tfrpc.register(async function localStorageSet(key, value) {
+	return app.localStorageSet(key, value);
+});
+tfrpc.register(async function databaseGet(key) {
+	return g_database ? g_database.get(key) : undefined;
+});
+tfrpc.register(async function databaseSet(key, value) {
+	return g_database ? g_database.set(key, value) : undefined;
+});
+tfrpc.register(async function createIdentity() {
+	return ssb.createIdentity();
+});
+tfrpc.register(async function getIdentities() {
+	return ssb.getIdentities();
+});
+tfrpc.register(async function getAllIdentities() {
+	return ssb.getAllIdentities();
+});
+tfrpc.register(async function getBroadcasts() {
+	return ssb.getBroadcasts();
+});
+tfrpc.register(async function getConnections() {
+	return ssb.connections();
+});
+tfrpc.register(async function getStoredConnections() {
+	return ssb.storedConnections();
+});
+tfrpc.register(async function forgetStoredConnection(connection) {
+	return ssb.forgetStoredConnection(connection);
+});
+tfrpc.register(async function createTunnel(portal, target) {
+	return ssb.createTunnel(portal, target);
+});
+tfrpc.register(async function connect(token) {
+	await ssb.connect(token);
+});
+tfrpc.register(async function closeConnection(id) {
+	await ssb.closeConnection(id);
+});
+tfrpc.register(async function query(sql, args) {
+	let result = [];
+	await ssb.sqlAsync(sql, args, function callback(row) {
+		result.push(row);
+	});
+	return result;
+});
+tfrpc.register(async function appendMessage(id, message) {
+	return ssb.appendMessageWithIdentity(id, message);
+});
+core.register('message', async function message_handler(message) {
+	if (message.event == 'hashChange') {
+		g_hash = message.hash;
+		await tfrpc.rpc.hashChanged(message.hash);
+	}
+});
+tfrpc.register(function getHash(id, message) {
+	return g_hash;
+});
+tfrpc.register(function setHash(hash) {
+	return app.setHash(hash);
+});
+ssb.addEventListener('message', async function(id) {
+	await tfrpc.rpc.notifyNewMessage(id);
+});
+tfrpc.register(async function store_blob(blob) {
+	if (Array.isArray(blob)) {
+		blob = Uint8Array.from(blob);
+	}
+	return await ssb.blobStore(blob);
+});
+tfrpc.register(async function get_blob(id) {
+	return utf8Decode(await ssb.blobGet(id));
+});
+tfrpc.register(async function store_message(message) {
+	return await ssb.storeMessage(message);
+});
+tfrpc.register(function apps() {
+	return core.apps();
+});
+tfrpc.register(async function try_decrypt(id, content) {
+	return await ssb.privateMessageDecrypt(id, content);
+});
+ssb.addEventListener('broadcasts', async function() {
+	await tfrpc.rpc.set('broadcasts', await ssb.getBroadcasts());
+});
+
+core.register('onConnectionsChanged', async function() {
+	await tfrpc.rpc.set('connections', await ssb.connections());
+});
+
+async function main() {
+	if (typeof(database) !== 'undefined') {
+		g_database = await database('ssb');
+	}
+	await app.setDocument(utf8Decode(await getFile('index.html')));
+}
+main();
--- a/apps/issues/commonmark-linkify.js
+++ b/apps/issues/commonmark-linkify.js
@ -0,0 +1,91 @@
+function textNode(text) {
+  const node = new commonmark.Node("text", undefined);
+  node.literal = text;
+  return node;
+}
+
+function linkNode(text, url) {
+  const urlNode = new commonmark.Node("link", undefined);
+  urlNode.destination = url;
+  urlNode.appendChild(textNode(text));
+
+  return urlNode;
+}
+
+function splitMatches(text, regexp) {
+  // Regexp must be sticky.
+  regexp = new RegExp(regexp, "gm");
+
+  let i = 0;
+  const result = [];
+
+  let match = regexp.exec(text);
+  while (match) {
+    const matchText = match[0];
+
+    if (match.index > i) {
+      result.push([text.substring(i, match.index), false]);
+    }
+
+    result.push([matchText, true]);
+    i = match.index + matchText.length;
+
+    match = regexp.exec(text);
+  }
+
+  if (i < text.length) {
+    result.push([text.substring(i, text.length), false]);
+  }
+
+  return result;
+}
+
+const urlRegexp = new RegExp("https?://[^ ]+[^ .,]");
+
+function splitURLs(textNodes) {
+  const text = textNodes.map(n => n.literal).join("");
+  const parts = splitMatches(text, urlRegexp);
+
+  return parts.map(part => {
+    if (part[1]) {
+      return linkNode(part[0], part[0]);
+    } else {
+      return textNode(part[0]);
+    }
+  });
+}
+
+export function transform(parsed) {
+  const walker = parsed.walker();
+  let event;
+
+  let nodes = [];
+  while ((event = walker.next())) {
+    const node = event.node;
+    if (event.entering && node.type === "text") {
+      nodes.push(node);
+    } else {
+      if (nodes.length > 0) {
+        splitURLs(nodes)
+          .reverse()
+          .forEach(newNode => {
+            nodes[0].insertAfter(newNode);
+          });
+
+        nodes.forEach(n => n.unlink());
+        nodes = [];
+      }
+    }
+  }
+
+  if (nodes.length > 0) {
+    splitURLs(nodes)
+      .reverse()
+      .forEach(newNode => {
+        nodes[0].insertAfter(newNode);
+      });
+    nodes.forEach(n => n.unlink());
+  }
+
+  return parsed;
+}
--- a/apps/issues/commonmark.min.js
+++ b/apps/issues/commonmark.min.js
--- a/apps/issues/index.html
+++ b/apps/issues/index.html
@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html style="color: #fff">
+	<head>
+		<title>Tilde Friends</title>
+		<base target="_top">
+	</head>
+	<body>
+		<tf-issues-app/>
+		<script>window.litDisableBundleWarning = true;</script>
+		<script src="commonmark.min.js"></script>
+		<script src="commonmark-linkify.js" type="module"></script>
+		<script src="script.js" type="module"></script>
+	</body>
+</html>
--- a/apps/issues/lit-all.min.js
+++ b/apps/issues/lit-all.min.js
--- a/apps/issues/lit-all.min.js.map
+++ b/apps/issues/lit-all.min.js.map
--- a/apps/issues/script.js
+++ b/apps/issues/script.js
@ -0,0 +1,260 @@
+import {LitElement, html, unsafeHTML} from './lit-all.min.js';
+import * as tfrpc from '/static/tfrpc.js';
+import * as tfutils from './tf-utils.js';
+
+const k_project = '%Hr+4xEVtjplidSKBlRWi4Aw/0Tfw7B+1OR9BzlDKmOI=.sha256';
+
+class TfIdPickerElement extends LitElement {
+	static get properties() {
+		return {
+			ids: {type: Array},
+			selected: {type: String},
+		};
+	}
+
+	constructor() {
+		super();
+		this.load();
+	}
+
+	async load() {
+		this.selected = await tfrpc.rpc.localStorageGet('whoami');
+		this.ids = (await tfrpc.rpc.getIdentities()) || [];
+	}
+
+	changed(event) {
+		this.selected = event.srcElement.value;
+		tfrpc.rpc.localStorageSet('whoami', this.selected);
+	}
+
+	render() {
+		if (this.ids) {
+			return html`
+				<select @change=${this.changed} style="max-width: 100%">
+					${(this.ids).map(id => html`<option ?selected=${id == this.selected} value=${id}>${id}</option>`)}
+				</select>
+			`;
+		} else {
+			return html`<div>Loading...</div>`;
+		}
+	}
+}
+customElements.define('tf-id-picker', TfIdPickerElement);
+
+class TfComposeElement extends LitElement {
+	static get properties() {
+		return {
+			value: {type: String},
+		};
+	}
+
+	input() {
+		let input = this.renderRoot.getElementById('input');
+		let preview = this.renderRoot.getElementById('preview');
+		if (input && preview) {
+			preview.innerHTML = tfutils.markdown(input.value);
+		}
+	}
+
+	submit() {
+		this.dispatchEvent(new CustomEvent('tf-submit', {
+			bubbles: true,
+			composed: true,
+			detail: {
+				value: this.renderRoot.getElementById('input').value,
+			},
+		}));
+		this.renderRoot.getElementById('input').value = '';
+		this.input();
+	}
+
+	render() {
+		return html`
+			<div style="display: flex; flex-direction: row">
+				<textarea id="input" @input=${this.input} style="flex: 1 1">${this.value}</textarea>
+				<div id="preview" style="flex: 1 1"></div>
+			</div>
+			<input type="submit" value="Submit" @click=${this.submit}></input>
+		`;
+	}
+}
+customElements.define('tf-compose', TfComposeElement);
+
+class TfIssuesAppElement extends LitElement {
+	static get properties() {
+		return {
+			issues: {type: Array},
+			selected: {type: Object},
+		};
+	}
+
+	constructor() {
+		super();
+		this.issues = [];
+		this.load();
+	}
+
+	async load() {
+		let issues = {};
+		let messages = await tfrpc.rpc.query(`
+			WITH issues AS (SELECT messages.* FROM messages_refs JOIN messages ON
+				messages.id = messages_refs.message
+				WHERE messages_refs.ref = ? AND json_extract(messages.content, '$.type') = 'issue'),
+			edits AS (SELECT messages.* FROM issues JOIN messages_refs ON
+				issues.id = messages_refs.ref JOIN messages ON
+				messages.id = messages_refs.message
+				WHERE json_extract(messages.content, '$.type') IN ('issue-edit', 'post'))
+			SELECT * FROM issues
+			UNION
+			SELECT * FROM edits ORDER BY timestamp
+		`, [k_project]);
+		for (let message of messages) {
+			let content = JSON.parse(message.content);
+			switch (content.type) {
+				case 'issue':
+					issues[message.id] = {
+						id: message.id,
+						author: message.author,
+						text: content.text,
+						updates: [],
+						created: message.timestamp,
+						open: true,
+					};
+					break;
+				case 'issue-edit':
+				case 'post':
+					for (let issue of (content.issues || [])) {
+						if (issues[issue.link]) {
+							if (issue.open !== undefined) {
+								issues[issue.link].open = issue.open;
+								message.open = issue.open;
+							}
+							issues[issue.link].updates.push(message);
+							issues[issue.link].updated = message.timestamp;
+						}
+					}
+					break;
+			}
+		}
+		this.issues = Object.values(issues).sort((x, y) => y.created - x.created);
+		if (this.selected) {
+			for (let issue of this.issues) {
+				if (issue.id == this.selected.id) {
+					this.selected = issue;
+				}
+			}
+		}
+	}
+
+	render_issue_table_row(issue) {
+		return html`
+			<tr>
+				<td>${issue.open ? 'open' : 'closed'}</td>
+				<td style="max-width: 8em; overflow: hidden; white-space: nowrap; text-overflow: ellipsis">${issue.author}</td>
+				<td style="max-width: 40em; overflow: hidden; white-space: nowrap; text-overflow: ellipsis; cursor: pointer" @click=${() => this.selected = issue}>
+					${issue.text.split('\n')?.[0]}
+				</td>
+				<td>${new Date(issue.updated ?? issue.created).toLocaleDateString()}</td>
+			</tr>
+		`;
+	}
+
+	render_update(update) {
+		let content = JSON.parse(update.content);
+		let message;
+		if (content.text) {
+			message = unsafeHTML(tfutils.markdown(content.text));
+		}
+		return html`
+			<div style="border-left: 2px solid #fff; padding-left: 8px">
+				<div>${new Date(update.timestamp).toLocaleString()}</div>
+				<div>${update.author}</div>
+				<div>${message}</div>
+				<div>${update.open !== undefined ? (update.open ? 'issue opened' : 'issue closed') : undefined}</div>
+			</div>
+		`;
+	}
+
+	async set_open(id, open) {
+		if (confirm(`Are you sure you want to ${open ? 'open' : 'close'} this issue?`)) {
+			let whoami = this.shadowRoot.getElementById('picker').selected;
+			await tfrpc.rpc.appendMessage(whoami, {
+				type: 'issue-edit',
+				issues: [
+					{
+						link: id,
+						open: open,
+					},
+				],
+			});
+			await this.load();
+		}
+	}
+
+	async create_issue(event) {
+		let whoami = this.shadowRoot.getElementById('picker').selected;
+		await tfrpc.rpc.appendMessage(whoami, {
+			type: 'issue',
+			project: k_project,
+			text: event.detail.value,
+		});
+		await this.load();
+	}
+
+	async reply_to_issue(event) {
+		let whoami = this.shadowRoot.getElementById('picker').selected;
+		await tfrpc.rpc.appendMessage(whoami, {
+			type: 'post',
+			text: event.detail.value,
+			root: this.selected.id,
+			branch: this.selected.updates.length ? this.selected.updates[this.selected.updates.length - 1].id : this.selected.id,
+			issues: [
+				{
+					link: this.selected.id,
+				},
+			],
+		});
+		await this.load();
+	}
+
+	render() {
+		let header = html`
+			<h1>Tilde Friends Issues</h1>
+			<tf-id-picker id="picker"></tf-id-picker>
+		`;
+		if (this.selected) {
+			return html`
+				${header}
+				<div>
+					<input type="button" value="Back" @click=${() => this.selected = undefined}></input>
+					${this.selected.open ?
+						html`<input type="button" value="Close Issue" @click=${() => this.set_open(this.selected.id, false)}></input>` :
+						html`<input type="button" value="Reopen Issue" @click=${() => this.set_open(this.selected.id, true)}></input>`}
+				</div>
+				<div>${new Date(this.selected.created).toLocaleString()}</div>
+				<div>${this.selected.author}</div>
+				<div>${this.selected.id}</div>
+				<div>${unsafeHTML(tfutils.markdown(this.selected.text))}</div>
+				${this.selected.updates.map(x => this.render_update(x))}
+				<tf-compose @tf-submit=${this.reply_to_issue}></tf-compose>
+			`;
+		} else {
+			return html`
+				${header}
+				<h2>New Issue</h2>
+				<tf-compose @tf-submit=${this.create_issue}></tf-compose>
+				<table>
+					<tr>
+						<th>Status</th>
+						<th>Author</th>
+						<th>Title</th>
+						<th>Date</th>
+					</tr>
+					${this.issues.map(x => this.render_issue_table_row(x))}
+				</table>
+			`;
+		}
+	}
+}
+
+customElements.define('tf-issues-app', TfIssuesAppElement);
--- a/apps/issues/tf-utils.js
+++ b/apps/issues/tf-utils.js
@ -0,0 +1,91 @@
+import * as linkify from './commonmark-linkify.js';
+
+function image(node, entering) {
+	if (node.firstChild?.type === 'text' &&
+		node.firstChild.literal.startsWith('video:')) {
+		if (entering) {
+			this.lit('<video style="max-width: 100%; max-height: 480px" title="' + this.esc(node.firstChild?.literal) + '" controls>');
+			this.lit('<source src="' + this.esc(node.destination) + '"></source>');
+			this.disableTags += 1;
+		} else {
+			this.disableTags -= 1;
+			this.lit('</video>');
+		}
+	} else if (node.firstChild?.type === 'text' &&
+		node.firstChild.literal.startsWith('audio:')) {
+		if (entering) {
+			this.lit('<audio style="height: 32px; max-width: 100%" title="' + this.esc(node.firstChild?.literal) + '" controls>');
+			this.lit('<source src="' + this.esc(node.destination) + '"></source>');
+			this.disableTags += 1;
+		} else {
+			this.disableTags -= 1;
+			this.lit('</audio>');
+		}
+	} else {
+		if (entering) {
+			if (this.disableTags === 0) {
+				this.lit('<div class="img_caption">' + this.esc(node.firstChild?.literal || node.destination) + '</div>');
+				if (this.options.safe && potentiallyUnsafe(node.destination)) {
+					this.lit('<img src="" alt="');
+				} else {
+					this.lit('<img src="' + this.esc(node.destination) + '" alt="');
+				}
+			}
+			this.disableTags += 1;
+		} else {
+			this.disableTags -= 1;
+			if (this.disableTags === 0) {
+				if (node.title) {
+					this.lit('" title="' + this.esc(node.title));
+				}
+				this.lit('" />');
+			}
+		}
+	}
+}
+
+export function markdown(md) {
+	var reader = new commonmark.Parser({safe: true});
+	var writer = new commonmark.HtmlRenderer();
+	writer.image = image;
+	var parsed = reader.parse(md || '');
+	parsed = linkify.transform(parsed);
+	var walker = parsed.walker();
+	var event, node;
+	while ((event = walker.next())) {
+		node = event.node;
+		if (event.entering) {
+			if (node.type == 'link') {
+				if (node.destination.startsWith('@') &&
+					node.destination.endsWith('.ed25519')) {
+					node.destination = '#' + node.destination;
+				} else if (node.destination.startsWith('%') &&
+					node.destination.endsWith('.sha256')) {
+					node.destination = '#' + node.destination;
+				} else if (node.destination.startsWith('&') &&
+					node.destination.endsWith('.sha256')) {
+					node.destination = '/' + node.destination + '/view';
+				}
+			} else if (node.type == 'image') {
+				if (node.destination.startsWith('&')) {
+					node.destination = '/' + node.destination + '/view';
+				}
+			}
+		}
+	}
+	return writer.render(parsed);
+}
+
+export function human_readable_size(bytes) {
+	let v = bytes;
+	let u = 'B';
+	for (let unit of ['kB', 'MB', 'GB']) {
+		if (v > 1024) {
+			v /= 1024;
+			u = unit;
+		} else {
+			break;
+		}
+	}
+	return `${Math.round(v * 10) / 10} ${u}`;
+}
--- a/apps/ssb/app.js
+++ b/apps/ssb/app.js
@ -88,6 +88,9 @@ tfrpc.register(function apps() {
 tfrpc.register(async function try_decrypt(id, content) {
 	return await ssb.privateMessageDecrypt(id, content);
 });
+tfrpc.register(async function encrypt(id, recipients, content) {
+	return await ssb.privateMessageEncrypt(id, recipients, content);
+});
 ssb.addEventListener('broadcasts', async function() {
 	await tfrpc.rpc.set('broadcasts', await ssb.getBroadcasts());
 });
--- a/apps/ssb/emojis.js
+++ b/apps/ssb/emojis.js
@ -64,7 +64,7 @@ export function picker(callback, anchor) {
 			while (list.firstChild) {
 				list.removeChild(list.firstChild);
 			}
-			let search = input.value;
+			let search = input.value.toLowerCase();
 			let any_at_all = false;
 			for (let row of Object.entries(json)) {
 				let header = document.createElement('div');
@ -74,7 +74,7 @@ export function picker(callback, anchor) {
 				for (let entry of Object.entries(row[1])) {
 					if (search &&
 						search.length &&
-						entry[0].indexOf(search) == -1) {
+						entry[0].toLowerCase().indexOf(search) == -1) {
 						continue;
 					}
 					let emoji = document.createElement('span');
--- a/apps/ssb/tf-compose.js
+++ b/apps/ssb/tf-compose.js
@ -176,7 +176,7 @@ class TfComposeElement extends LitElement {
 		}
 	}

-	submit() {
+	async submit() {
 		let self = this;
 		let draft = this.get_draft();
 		let edit = this.renderRoot.getElementById('edit');
@ -195,14 +195,25 @@ class TfComposeElement extends LitElement {
 			message.contentWarning = draft.content_warning;
 		}
 		console.log('Would post:', message);
-		tfrpc.rpc.appendMessage(this.whoami, message).then(function() {
+		if (draft.encrypt_to) {
+			let to = new Set(draft.encrypt_to);
+			to.add(this.whoami);
+			to = [...to];
+			message.recps = to;
+			console.log('message is now', message);
+			message = await tfrpc.rpc.encrypt(this.whoami, to, JSON.stringify(message));
+			console.log('encrypted as', message);
+		}
+		try {
+			await tfrpc.rpc.appendMessage(this.whoami, message).then(function() {
 				edit.value = '';
 				self.change();
 				self.notify(undefined);
 				self.requestUpdate();
-		}).catch(function(error) {
-			alert(error.message);
 			});
+		} catch (error) {
+			alert(error.message);
+		}
 	}

 	discard() {
@ -226,12 +237,47 @@ class TfComposeElement extends LitElement {
 		input.click();
 	}

+	async autocomplete(text, callback) {
+		this.last_autocomplete = text;
+		let results = [];
+		try {
+			let rows = await tfrpc.rpc.query(`
+				SELECT messages.content FROM messages_fts(?)
+				JOIN messages ON messages.rowid = messages_fts.rowid
+				WHERE messages.content LIKE ?
+				ORDER BY timestamp DESC LIMIT 10
+			`, ['"' + text.replace('"', '""') + '"', `%![%${text}%](%)%`]);
+			for (let row of rows) {
+				for (let match of row.content.matchAll(/!\[([^\]]*)\]\((&.*?)\)/g)) {
+					if (match[1].toLowerCase().indexOf(text.toLowerCase()) != -1) {
+						results.push({key: match[1], value: match[2]});
+					}
+				}
+			}
+		} finally {
+			if (this.last_autocomplete === text) {
+				callback(results);
+			}
+		}
+	}
+
 	firstUpdated() {
 		let tribute = new Tribute({
+			collection: [
+				{
 					values: Object.entries(this.users).map(x => ({key: x[1].name, value: x[0]})),
 					selectTemplate: function(item) {
 						return `[@${item.original.key}](${item.original.value})`;
 					},
+				},
+				{
+					trigger: '&',
+					values: this.autocomplete,
+					selectTemplate: function(item) {
+						return `![${item.original.key}](${item.original.value})`;
+					},
+				},
+			],
 		});
 		tribute.attach(this.renderRoot.getElementById('edit'));
 	}
@ -244,6 +290,16 @@ class TfComposeElement extends LitElement {
 			preview.innerHTML = this.process_text(edit.value);
 			this.last_updated_text = edit.value;
 		}
+		let encrypt = this.renderRoot.getElementById('encrypt_to');
+		if (encrypt) {
+			let tribute = new Tribute({
+				values: Object.entries(this.users).map(x => ({key: x[1].name, value: x[0]})),
+				selectTemplate: function(item) {
+					return item.original.value;
+				},
+			});
+			tribute.attach(encrypt);
+		}
 	}

 	remove_mention(id) {
@ -354,6 +410,45 @@ class TfComposeElement extends LitElement {
 		return this.drafts[this.branch || ''] || {};
 	}

+	update_encrypt(event) {
+		let input = event.srcElement;
+		let matches = input.value.match(/@.*?\.ed25519/g);
+		if (matches) {
+			let draft = this.get_draft();
+			let to = [...new Set(matches.concat(draft.encrypt_to))];
+			this.set_encrypt(to);
+			input.value = '';
+		}
+	}
+
+	render_encrypt() {
+		let draft = this.get_draft();
+		if (draft.encrypt_to === undefined) {
+			return;
+		}
+		return html`
+			<div style="display: flex; flex-direction: row; width: 100%">
+				<label for="encrypt_to">🔐 To:</label>
+				<input type="text" id="encrypt_to" style="display: flex; flex: 1 1" @input=${this.update_encrypt}></input>
+				<input type="button" value="🚮" @click=${() => this.set_encrypt(undefined)}></input>
+			</div>
+			<ul>
+				${draft.encrypt_to.map(x => html`
+					<li>
+						<tf-user id=${x} .users=${this.users}></tf-user>
+						<input type="button" value="🚮" @click=${() => this.set_encrypt(draft.encrypt_to.filter(id => id != x))}></input>
+					</li>`)}
+			</ul>
+		`;
+	}
+
+	set_encrypt(encrypt) {
+		let draft = this.get_draft();
+		draft.encrypt_to = encrypt;
+		this.notify(draft);
+		this.requestUpdate();
+	}
+
 	render() {
 		let self = this;
 		let draft = self.get_draft();
@ -361,7 +456,11 @@ class TfComposeElement extends LitElement {
 			draft.content_warning !== undefined ?
 			html`<div id="content_warning_preview" class="content_warning">${draft.content_warning}</div>` :
 			undefined;
+		let encrypt = draft.encrypt_to !== undefined ?
+			undefined :
+			html`<input type="button" value="🔐" @click=${() => this.set_encrypt([])}></input>`;
 		let result = html`
+			${this.render_encrypt()}
 			<div style="display: flex; flex-direction: row; width: 100%">
 				<textarea id="edit" @input=${this.input} @change=${this.change} @paste=${this.paste} style="flex: 1 0 50%">${draft.text}</textarea>
 				<div style="flex: 1 0 50%">
@ -375,6 +474,7 @@ class TfComposeElement extends LitElement {
 			<input type="button" id="submit" value="Submit" @click=${this.submit}></input>
 			<input type="button" value="Attach" @click=${this.attach}></input>
 			${this.render_attach_app_button()}
+			${encrypt}
 			<input type="button" value="Discard" @click=${this.discard}></input>
 		`;
 		return result;
--- a/apps/ssb/tf-message.js
+++ b/apps/ssb/tf-message.js
@ -14,7 +14,6 @@ class TfMessageElement extends LitElement {
 			format: {type: String},
 			blog_data: {type: String},
 			expanded: {type: Object},
-			decrypted: {type: Object},
 		};
 	}

@ -29,11 +28,12 @@ class TfMessageElement extends LitElement {
 		this.drafts = {};
 		this.format = 'message';
 		this.expanded = {};
-		this.decrypted = undefined;
 	}

 	show_reply() {
-		let event = new CustomEvent('tf-draft', {bubbles: true, composed: true, detail: {id: this.message?.id, draft: ''}});
+		let event = new CustomEvent('tf-draft', {bubbles: true, composed: true, detail: {id: this.message?.id, draft: {
+			encrypt_to: this.message?.decrypted?.recps,
+		}}});
 		this.dispatchEvent(event);
 	}

@ -222,8 +222,8 @@ class TfMessageElement extends LitElement {

 	render_channels() {
 		let content = this.message?.content;
-		if (this.decrypted?.type == 'post') {
-			content = this.decrypted;
+		if (this?.messsage?.decrypted?.type == 'post') {
+			content = this.message.decrypted;
 		}
 		let channels = [];
 		if (typeof content.channel === 'string') {
@ -240,19 +240,10 @@ class TfMessageElement extends LitElement {
 		return channels.map(x => html`<tf-tag tag=${x}></tf-tag>`);
 	}

-	async try_decrypt(content) {
-		let result = await tfrpc.rpc.try_decrypt(this.whoami, content);
-		if (result) {
-			this.decrypted = JSON.parse(result);
-		} else {
-			this.decrypted = false;
-		}
-	}
-
 	render() {
 		let content = this.message?.content;
-		if (this.decrypted?.type == 'post') {
-			content = this.decrypted;
+		if (this.message?.decrypted?.type == 'post') {
+			content = this.message.decrypted;
 		}
 		let self = this;
 		let raw_button;
@ -386,8 +377,8 @@ class TfMessageElement extends LitElement {
 							` :
 							content_warning :
 						content_html;
-				let is_encrypted = this.decrypted ? html`<span style="align-self: center">🔓</span>` : undefined;
-				let style_background = this.decrypted ? 'rgba(255, 0, 0, 0.2)' : 'rgba(255, 255, 255, 0.1)';
+				let is_encrypted = this.message?.decrypted ? html`<span style="align-self: center">🔓</span>` : undefined;
+				let style_background = this.message?.decrypted ? 'rgba(255, 0, 0, 0.2)' : 'rgba(255, 255, 255, 0.1)';
 				return html`
 					<style>
 						code {
@ -420,6 +411,40 @@ class TfMessageElement extends LitElement {
 						${this.render_children()}
 					</div>
 				`;
+			} else if (content.type === 'issue') {
+				let is_encrypted = this.message?.decrypted ? html`<span style="align-self: center">🔓</span>` : undefined;
+				let style_background = this.message?.decrypted ? 'rgba(255, 0, 0, 0.2)' : 'rgba(255, 255, 255, 0.1)';
+				return html`
+					<style>
+						code {
+							white-space: pre-wrap;
+							overflow-wrap: break-word;
+						}
+						div {
+							overflow-wrap: anywhere;
+						}
+						img {
+							max-width: 100%;
+							height: auto;
+							display: block;
+						}
+					</style>
+					<div style="border: 1px solid black; background-color: ${style_background}; margin-top: 8px; padding: 16px">
+						<div style="display: flex; flex-direction: row">
+							<tf-user id=${this.message.author} .users=${this.users}></tf-user>
+							${is_encrypted}
+							<span style="flex: 1"></span>
+							<span style="padding-right: 8px"><a target="_top" href=${'#' + self.message.id}>%</a> ${new Date(this.message.timestamp).toLocaleString()}</span>
+							<span>${raw_button}</span>
+						</div>
+						${content.text}
+						${this.render_votes()}
+						<div>
+							<input type="button" value="React" @click=${this.react}></input>
+						</div>
+						${this.render_children()}
+					</div>
+				`;
 			} else if (content.type === 'blog') {
 				let self = this;
 				tfrpc.rpc.get_blob(content.blog).then(function(data) {
@ -500,11 +525,8 @@ class TfMessageElement extends LitElement {
 					</div>
 				`);
 			} else if (typeof(this.message.content) == 'string') {
-				if (this.decrypted) {
+				if (this.message?.decrypted) {
 					return small_frame(html`<span>🔓</span><pre>${JSON.stringify(this.decrypted, null, 2)}</pre>`);
-				} else if (this.decrypted === undefined) {
-						this.try_decrypt(content);
-						return small_frame(html`<span>🔐</span>`);
 				} else {
 					return small_frame(html`<span>🔒</span>`);
 				}
--- a/apps/ssb/tf-styles.js
+++ b/apps/ssb/tf-styles.js
@ -45,4 +45,10 @@ div.img_caption {
 div.img_caption::after {
 	content: ' ±';
 }
+
+blockquote {
+	border-left: 4px solid #fff;
+	margin-left: 0px;
+	padding-left: 8px;
+}
 `;
--- a/apps/ssb/tf-tab-connections.js
+++ b/apps/ssb/tf-tab-connections.js
@ -42,11 +42,8 @@ class TfTabConnectionsElement extends LitElement {
 		let self = this;
 		let peers = this.broadcasts.filter(x => x.tunnel?.id == connection);
 		if (peers.length) {
-			return html`
-				<ul>
-					${peers.map(x => html`${self.render_room_peer(x)}`)}
-				</ul>
-			`;
+			let connections = this.connections.map(x => x.id);
+			return html`${peers.filter(x => connections.indexOf(x.pubkey) == -1).map(x => html`${self.render_room_peer(x)}`)}`;
 		}
 	}

@ -59,7 +56,7 @@ class TfTabConnectionsElement extends LitElement {
 		return html`
 			<li>
 				<input type="button" @click=${() => self._tunnel(connection.tunnel.id, connection.pubkey)} value="Connect"></input>
-				<tf-user id=${connection.pubkey} .users=${this.users}></tf-user>
+				<tf-user id=${connection.pubkey} .users=${this.users}></tf-user> 📡
 			</li>
 		`;
 	}
@ -79,6 +76,18 @@ class TfTabConnectionsElement extends LitElement {
 		this.stored_connections = (await tfrpc.rpc.getStoredConnections()) || [];
 	}

+	render_connection(connection) {
+		return html`
+			<input type="button" @click=${() => tfrpc.rpc.closeConnection(connection.id)} value="Close"></input>
+			<tf-user id=${connection.id} .users=${this.users}></tf-user>
+			${connection.tunnel !== undefined ? '🚇' : html`(${connection.host}:${connection.port})`}
+			<ul>
+				${this.connections.filter(x => x.tunnel === this.connections.indexOf(connection)).map(x => html`<li>${this.render_connection(x)}</li>`)}
+				${this.render_room_peers(connection.id)}
+			</ul>
+		`;
+	}
+
 	render() {
 		let self = this;
 		return html`
@ -93,12 +102,8 @@ class TfTabConnectionsElement extends LitElement {
 			</ul>
 			<h2>Connections</h2>
 			<ul>
-				${this.connections.map(x => html`
-					<li>
-						<input type="button" @click=${() => tfrpc.rpc.closeConnection(x)} value="Close"></input>
-						<tf-user id=${x} .users=${this.users}></tf-user>
-						${self.render_room_peers(x)}
-					</li>
+				${this.connections.filter(x => x.tunnel === undefined).map(x => html`
+					<li>${this.render_connection(x)}</li>
 				`)}
 			</ul>
 			<h2>Stored Connections (WIP)</h2>
--- a/apps/ssb/tf-tab-news-feed.js
+++ b/apps/ssb/tf-tab-news-feed.js
@ -124,7 +124,38 @@ class TfTabNewsFeedElement extends LitElement {
 				this.start_time,
 				last_start_time,
 			]);
-		this.messages = [...more, ...this.messages];
+		this.messages = await this.decrypt([...more, ...this.messages]);
+	}
+
+	async decrypt(messages) {
+		let result = [];
+		for (let message of messages) {
+			let content;
+			try {
+				content = JSON.parse(message?.content);
+			} catch {
+			}
+			if (typeof(content) === 'string') {
+				let decrypted;
+				try {
+					decrypted = await tfrpc.rpc.try_decrypt(this.whoami, content);
+				} catch {
+				}
+				if (decrypted) {
+					try {
+						message.decrypted = JSON.parse(decrypted);
+					} catch {
+						message.decrypted = decrypted;
+					}
+				}
+			}
+			result.push(message);
+		}
+		return result;
+	}
+
+	async add_messages(messages) {
+		this.messages = await this.decrypt([...messages, ...this.messages]);
 	}

 	render() {
@ -136,7 +167,7 @@ class TfTabNewsFeedElement extends LitElement {
 			this.messages = [];
 			this._messages_hash = this.hash;
 			this._messages_following = this.following;
-			this.fetch_messages().then(function(messages) {
+			this.fetch_messages().then(this.decrypt.bind(this)).then(function(messages) {
 				self.messages = messages;
 				console.log(`loading mesages done for ${self.whoami}`);
 			}).catch(function(error) {
--- a/apps/ssb/tf-tab-news.js
+++ b/apps/ssb/tf-tab-news.js
@ -48,7 +48,7 @@ class TfTabNewsElement extends LitElement {
 		let news = this.shadowRoot?.getElementById('news');
 		if (news) {
 			console.log('injecting messages', news.messages);
-			news.messages = Object.values(Object.fromEntries([...this.unread, ...news.messages].map(x => [x.id, x])));
+			news.add_messages(Object.values(Object.fromEntries(this.unread.map(x => [x.id, x]))));
 			this.dispatchEvent(new CustomEvent('refresh'));
 		}
 	}
--- a/core/auth.html
+++ b/core/auth.html
@ -89,9 +89,12 @@

 								<input type="radio" name="tab" id="guest" value="Guest" ?checked=${this.tab == 'guest'} @change=${() => self.tab_changed('guest')}></input>
 								<label for="guest" id="guest_label">Guest</label>
+
+								<input type="radio" name="tab" id="change" value="Change Password" ?checked=${this.tab == 'change'} @change=${() => self.tab_changed('change')}></input>
+								<label for="change" id="change_label">Change Password</label>
 							</div>

-							<div ?hidden=${this.tab != 'login' && this.tab != 'register'}>
+							<div ?hidden=${this.tab != 'login' && this.tab != 'register' && this.tab != 'change'}>
 								<div id="error" ?hidden=${this.error === undefined} class="error">
 									${this.error}
 								</div>
@ -99,14 +102,18 @@
 									<label for="name">Name:</label>
 									<input type="text" id="name" name="name"></input>

-									<label for="password">Password:</label>
+									<label for="password">${this.tab == 'change' ? 'Old ' : ''}Password:</label>
 									<input type="password" id="password" name="password"></input>

-									<label ?hidden=${this.tab != 'register'} for="confirm">Confirm Password:</label>
-									<input ?hidden=${this.tab != 'register'} type="password" id="confirm" name="confirm"></input>
+									<label ?hidden=${this.tab != 'change'} for="new_password">New Password:</label>
+									<input ?hidden=${this.tab != 'change'} type="password" id="new_password" name="new_password"></input>
+
+									<label ?hidden=${this.tab != 'register' && this.tab != 'change'} for="confirm">Confirm ${this.tab == 'change' ? 'New ' : ''}Password:</label>
+									<input ?hidden=${this.tab != 'register' && this.tab != 'change'} type="password" id="confirm" name="confirm"></input>

 									<input id="loginButton" type="submit" name="submit" value="Login"></input>
 									<input type="hidden" name="register" value="${this.tab == 'register' ? 1 : 0}"></input>
+									<input type="hidden" name="change" value="${this.tab == 'change' ? 1 : 0}"></input>
 								</form>
 							</div>
 							<div ?hidden=${this.tab != 'guest'}>
--- a/core/auth.js
+++ b/core/auth.js
@ -113,23 +113,37 @@ function getCookies(headers) {
 	return cookies;
 }

+function isNameValid(name) {
+	let c = name.charAt(0);
+	return ((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z')) && name.split().map(x => x >= ('a' && x <= 'z') || x >= ('A' && x <= 'Z') || x >= ('0' && x <= '9'));
+}
+
 function handler(request, response) {
 	let session = getCookies(request.headers).session;
 	if (request.uri == "/login") {
+		let formData = form.decodeForm(request.query);
+		if (query(request.headers)?.permissions?.authenticated) {
+			if (formData.return) {
+				response.writeHead(303, {"Location": formData.return});
+			} else {
+				response.writeHead(303, {"Location": (request.client.tls ? 'https://' : 'http://') + request.headers.host + '/', "Content-Length": "0"});
+			}
+			response.end();
+			return;
+		}
+
 		let sessionIsNew = false;
 		let loginError;

-		let formData = form.decodeForm(request.query);
-
-		print(request.method, utf8Decode(request.body), JSON.stringify(formData));
 		if (request.method == "POST" || formData.submit) {
 			sessionIsNew = true;
 			formData = form.decodeForm(utf8Decode(request.body), formData);
 			if (formData.submit == "Login") {
 				let account = gDatabase.get("user:" + formData.name);
 				account = account ? JSON.parse(account) : account;
-				if (formData.register == "1") {
+				if (formData.register == '1') {
 					if (!account &&
+						isNameValid(formData.name) &&
 						formData.password == formData.confirm) {
 						let users = new Set();
 						let users_original = gDatabase.get('users');
@ -146,12 +160,23 @@ function handler(request, response) {
 						}
 						session = makeJwt({name: formData.name});
 						account = {password: hashPassword(formData.password)};
-						gDatabase.set("user:" + formData.name, JSON.stringify(account));
+						gDatabase.set('user:' + formData.name, JSON.stringify(account));
 						if (noAdministrator()) {
 							makeAdministrator(formData.name);
 						}
 					} else {
-						loginError = "Error registering account.";
+						loginError = 'Error registering account.';
+					}
+				} else if (formData.change == '1') {
+					if (account &&
+						isNameValid(formData.name) &&
+						formData.new_password == formData.confirm &&
+						verifyPassword(formData.password, account.password)) {
+						session = makeJwt({name: formData.name});
+						account = {password: hashPassword(formData.new_password)};
+						gDatabase.set('user:' + formData.name, JSON.stringify(account));
+					} else {
+						loginError = 'Error changing password.';
 					}
 				} else {
 					if (account &&
@ -162,7 +187,7 @@ function handler(request, response) {
 							makeAdministrator(formData.name);
 						}
 					} else {
-						loginError = "Invalid username or password.";
+						loginError = 'Invalid username or password.';
 					}
 				}
 			} else {
--- a/core/client.js
+++ b/core/client.js
@ -80,7 +80,7 @@ class TfNavigationElement extends LitElement {
 			let spark_line = document.createElement('tf-sparkline');
 			spark_line.style.display = 'flex';
 			spark_line.style.flexDirection = 'row';
-			spark_line.style.flex = '0 100 10em';
+			spark_line.style.flex = '0 50 5em';
 			spark_line.title = key;
 			if (options) {
 				if (options.max) {
@ -126,7 +126,7 @@ class TfNavigationElement extends LitElement {
 			<style>
 				${k_global_style}
 			</style>
-			<div style="margin: 4px; display: flex; flex-direction: row; flex-wrap: nowrap; gap: 3px">
+			<div style="margin: 4px; display: flex; flex-direction: row; flex-wrap: nowrap; gap: 3px; align-items: center">
 				<span style="cursor: pointer" @click=${() => this.show_version = !this.show_version}>😎</span>
 				<span ?hidden=${!this.show_version} style="flex: 0 0; white-space: nowrap" title=${this.version?.name + ' ' + Object.entries(this.version || {}).filter(x => ['name', 'number'].indexOf(x[0]) == -1).map(x => `\n* ${x[0]}: ${x[1]}`)}>${this.version?.number}</span>
 				<a accesskey="h" data-tip="Open home app." href="/" style="color: #fff; white-space: nowrap">TF</a>
@ -136,7 +136,7 @@ class TfNavigationElement extends LitElement {
 				<span style="display: inline-block; vertical-align: top; white-space: pre; color: ${this.status.color ?? kErrorColor}">${this.status.message}</span>
 				<span id="requests"></span>
 				${this.render_permissions()}
-				<span style="flex: 1 1; display: flex; flex-direction: row; white-space: nowrap; margin: 0; padding: 0">${Object.keys(this.spark_lines).sort().map(x => this.spark_lines[x]).map(x => [x.dataset.emoji, x])}</span>
+				<span style="flex: 1 1; display: flex; flex-direction: row; white-space: nowrap; margin: 0; padding: 0">${Object.keys(this.spark_lines).sort().map(x => this.spark_lines[x]).map(x => [html`<span style="font-size: xx-small">${x.dataset.emoji}</span>`, x])}</span>
 				<span style="flex: 0 0; white-space: nowrap">${this.render_login()}</span>
 			</div>
 		`;
@ -310,7 +310,7 @@ class TfSparkLineElement extends LitElement {
 	render_line(line) {
 		if (line?.values?.length >= 2) {
 			let max = Math.max(this.max, ...line.values);
-			let points = [].concat(...line.values.map((x, i) => [100.0 * i / (line.values.length - 1), 10.0 - 10.0 * (x - this.min) / (max - this.min)]));
+			let points = [].concat(...line.values.map((x, i) => [50.0 * i / (line.values.length - 1), 10.0 - 10.0 * (x - this.min) / (max - this.min)]));
 			return svg`<polyline points=${points.join(' ')} stroke=${line.style} fill="none"/>`;
 		}
 	}
@ -318,7 +318,7 @@ class TfSparkLineElement extends LitElement {
 	render() {
 		let max = Math.round(10.0 * Math.max(...this.lines.map(line => line.values[line.values.length - 1]))) / 10.0;
 		return html`
-			<svg style="width-auto: object-fit: cover; margin: 0; padding: 0; background: #000" viewBox="0 0 100 10" preserveAspectRatio="none" xmlns="http://www.w3.org/2000/svg">
+			<svg style="max-width: 7.5em; max-height: 1.5em; margin: 0; padding: 0; background: #000" viewBox="0 0 50 10" xmlns="http://www.w3.org/2000/svg">
 				${this.lines.map(x => this.render_line(x))}
 				<text x="0" y="1em" style="font: 8px sans-serif; fill: #fff">${max}</text>
 			</svg>
@ -784,12 +784,13 @@ function _receive_websocket_message(message) {
 			};
 			const k_colors = ['#0f0', '#88f', '#ff0', '#f0f', '#0ff', '#f00', '#888'];
 			let graph_key = k_groups[key]?.group || key;
-			if (graph_key == 'cpu' || graph_key == 'rpc' || graph_key == 'store') {
+			if (['cpu', 'rpc', 'store', 'memory'].indexOf(graph_key) != -1) {
 				let line = document.getElementsByTagName('tf-navigation')[0].get_spark_line(graph_key, { max: 100 });
 				line.dataset.emoji = {
 					'cpu': '💻',
 					'rpc': '🔁',
 					'store': '💾',
+					'memory': '🐏',
 				}[graph_key];
 				line.append(key, message.stats[key]);
 			}
--- a/core/httpd.js
+++ b/core/httpd.js
@ -4,7 +4,7 @@ let gHandlers = [];
 let gSocketHandlers = [];
 let gBadRequests = {};

-const kRequestTimeout = 15000;
+const kRequestTimeout = 5000;
 const kStallTimeout = 60000;

 function logError(error) {
@ -395,41 +395,10 @@ function handleConnection(client) {
 	let parsing_header = true;
 	let bodyToRead = -1;
 	let body;
-	let requestCount = -1;
 	let readCount = 0;
 	let isWebsocket = false;

-	function resetTimeout(requestIndex) {
-		if (isWebsocket) {
-			return;
-		}
-		if (bodyToRead == -1) {
-			setTimeout(function() {
-				if (requestCount == requestIndex) {
-					client.info = 'timed out';
-					if (requestCount == 0) {
-						badRequest(client, 'Timed out waiting for request.');
-					} else {
-						client.close();
-					}
-				}
-			}, kRequestTimeout);
-		} else {
-			let lastReadCount = readCount;
-			setTimeout(function() {
-				if (readCount == lastReadCount) {
-					client.info = 'stalled';
-					if (requestCount == 0) {
-						badRequest(client, 'Request stalled.');
-					} else {
-						client.close();
-					}
-				}
-			}, kStallTimeout);
-		}
-	}
-
-	resetTimeout(++requestCount);
+	client.setActivityTimeout(kRequestTimeout);

 	function reset() {
 		request = undefined;
@ -438,7 +407,7 @@ function handleConnection(client) {
 		bodyToRead = -1;
 		body = undefined;
 		client.info = 'reset';
-		resetTimeout(++requestCount);
+		client.setActivityTimeout(kRequestTimeout);
 	}

 	function finish() {
@ -463,9 +432,6 @@ function handleConnection(client) {
 	client.read(function(data) {
 		readCount++;
 		if (data) {
-			if (bodyToRead != -1 && !isWebsocket) {
-				resetTimeout(requestCount);
-			}
 			let newBuffer = new Uint8Array(inputBuffer.length + data.length);
 			newBuffer.set(inputBuffer, 0);
 			newBuffer.set(data, inputBuffer.length);
@ -483,6 +449,7 @@ function handleConnection(client) {
 							return;
 						}
 					} else if (typeof result === 'object')  {
+						client.setActivityTimeout(kStallTimeout);
 						request = [
 							result.method,
 							result.path,
@ -509,7 +476,6 @@ function handleConnection(client) {
 							}
 							body = new Uint8Array(bodyToRead);
 							client.info = 'waiting for body';
-							resetTimeout(requestCount);
 						} else if (headers["connection"]
 							&& headers["connection"].toLowerCase().split(",").map(x => x.trim()).indexOf("upgrade") != -1
 							&& headers["upgrade"]
@ -520,7 +486,7 @@ function handleConnection(client) {
 							let response = new Response(requestObject, client);
 							handleWebSocketRequest(requestObject, response, client);
 							/* Prevent the timeout from disconnecting us. */
-							requestCount++;
+							client.setActivityTimeout();
 						} else {
 							finish();
 						}
--- a/core/index.html
+++ b/core/index.html
@ -28,11 +28,10 @@
 				</div>
 			</div>
 			<div id="viewPane" class="vbox" style="flex: 1 1; overflow: auto">
-				<iframe id="document" sandbox="allow-forms allow-scripts allow-top-navigation allow-modals allow-downloads" style="width: 100%; height: 100%; border: 0"></iframe>
+				<iframe id="document" sandbox="allow-forms allow-scripts allow-top-navigation allow-modals allow-popups allow-downloads" style="width: 100%; height: 100%; border: 0"></iframe>
 			</div>
 		</div>
 		<script>window.litDisableBundleWarning = true;</script>
-		<script src="/split/split.min.js"></script>
 		<script src="/static/client.js" type="module"></script>
 	</body>
 </html>
--- a/deps/openssl/android/arm64-v8a/usr/local/bin/c_rehash
+++ b/deps/openssl/android/arm64-v8a/usr/local/bin/c_rehash
@ -1,251 +0,0 @@
-#!/usr/bin/env perl
-
-# WARNING: do not edit!
-# Generated by Makefile from tools/c_rehash.in
-# Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the OpenSSL license (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-# Perl c_rehash script, scan all files in a directory
-# and add symbolic links to their hash values.
-
-my $dir = "";
-my $prefix = "";
-
-my $errorcount = 0;
-my $openssl = $ENV{OPENSSL} || "openssl";
-my $pwd;
-my $x509hash = "-subject_hash";
-my $crlhash = "-hash";
-my $verbose = 0;
-my $symlink_exists=eval {symlink("",""); 1};
-my $removelinks = 1;
-
-##  Parse flags.
-while ( $ARGV[0] =~ /^-/ ) {
-    my $flag = shift @ARGV;
-    last if ( $flag eq '--');
-    if ( $flag eq '-old') {
-	    $x509hash = "-subject_hash_old";
-	    $crlhash = "-hash_old";
-    } elsif ( $flag eq '-h' || $flag eq '-help' ) {
-	    help();
-    } elsif ( $flag eq '-n' ) {
-	    $removelinks = 0;
-    } elsif ( $flag eq '-v' ) {
-	    $verbose++;
-    }
-    else {
-	    print STDERR "Usage error; try -h.\n";
-	    exit 1;
-    }
-}
-
-sub help {
-	print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\n";
-	print "   -old use old-style digest\n";
-	print "   -h or -help print this help text\n";
-	print "   -v print files removed and linked\n";
-	exit 0;
-}
-
-eval "require Cwd";
-if (defined(&Cwd::getcwd)) {
-	$pwd=Cwd::getcwd();
-} else {
-	$pwd=`pwd`;
-	chomp($pwd);
-}
-
-# DOS/Win32 or Unix delimiter?  Prefix our installdir, then search.
-my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':';
-$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : "");
-
-if (! -x $openssl) {
-	my $found = 0;
-	foreach (split /$path_delim/, $ENV{PATH}) {
-		if (-x "$_/$openssl") {
-			$found = 1;
-			$openssl = "$_/$openssl";
-			last;
-		}	
-	}
-	if ($found == 0) {
-		print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
-		exit 0;
-	}
-}
-
-if (@ARGV) {
-	@dirlist = @ARGV;
-} elsif ($ENV{SSL_CERT_DIR}) {
-	@dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
-} else {
-	$dirlist[0] = "$dir/certs";
-}
-
-if (-d $dirlist[0]) {
-	chdir $dirlist[0];
-	$openssl="$pwd/$openssl" if (!-x $openssl);
-	chdir $pwd;
-}
-
-foreach (@dirlist) {
-	if (-d $_ ) {
-            if ( -w $_) {
-		hash_dir($_);
-            } else {
-                print "Skipping $_, can't write\n";
-                $errorcount++;
-            }
-	}
-}
-exit($errorcount);
-
-sub copy_file {
-    my ($src_fname, $dst_fname) = @_;
-
-    if (open(my $in, "<", $src_fname)) {
-        if (open(my $out, ">", $dst_fname)) {
-            print $out $_ while (<$in>);
-            close $out;
-        } else {
-            warn "Cannot open $dst_fname for write, $!";
-        }
-        close $in;
-    } else {
-        warn "Cannot open $src_fname for read, $!";
-    }
-}
-
-sub hash_dir {
-    my $dir = shift;
-    my %hashlist;
-
-    print "Doing $dir\n";
-
-    if (!chdir $dir) {
-        print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
-        return;
-    }
-
-    opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
-    my @flist = sort readdir(DIR);
-    closedir DIR;
-    if ( $removelinks ) {
-        # Delete any existing symbolic links
-        foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
-            if (-l $_) {
-                print "unlink $_\n" if $verbose;
-                unlink $_ || warn "Can't unlink $_, $!\n";
-            }
-        }
-    }
-    FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
-        # Check to see if certificates and/or CRLs present.
-        my ($cert, $crl) = check_file($fname);
-        if (!$cert && !$crl) {
-            print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
-            next;
-        }
-        link_hash_cert($fname) if ($cert);
-        link_hash_crl($fname) if ($crl);
-    }
-
-    chdir $pwd;
-}
-
-sub check_file {
-    my ($is_cert, $is_crl) = (0,0);
-    my $fname = $_[0];
-
-    open(my $in, "<", $fname);
-    while(<$in>) {
-        if (/^-----BEGIN (.*)-----/) {
-            my $hdr = $1;
-            if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
-                $is_cert = 1;
-                last if ($is_crl);
-            } elsif ($hdr eq "X509 CRL") {
-                $is_crl = 1;
-                last if ($is_cert);
-            }
-        }
-    }
-    close $in;
-    return ($is_cert, $is_crl);
-}
-
-sub compute_hash {
-    my $fh;
-    if ( $^O eq "VMS" ) {
-        # VMS uses the open through shell
-        # The file names are safe there and list form is unsupported
-        if (!open($fh, "-|", join(' ', @_))) {
-            print STDERR "Cannot compute hash on '$fname'\n";
-            return;
-        }
-    } else {
-        if (!open($fh, "-|", @_)) {
-            print STDERR "Cannot compute hash on '$fname'\n";
-            return;
-        }
-    }
-    return (<$fh>, <$fh>);
-}
-
-# Link a certificate to its subject name hash value, each hash is of
-# the form <hash>.<n> where n is an integer. If the hash value already exists
-# then we need to up the value of n, unless its a duplicate in which
-# case we skip the link. We check for duplicates by comparing the
-# certificate fingerprints
-
-sub link_hash_cert {
-    link_hash($_[0], 'cert');
-}
-
-# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
-
-sub link_hash_crl {
-    link_hash($_[0], 'crl');
-}
-
-sub link_hash {
-    my ($fname, $type) = @_;
-    my $is_cert = $type eq 'cert';
-
-    my ($hash, $fprint) = compute_hash($openssl,
-                                       $is_cert ? "x509" : "crl",
-                                       $is_cert ? $x509hash : $crlhash,
-                                       "-fingerprint", "-noout",
-                                       "-in", $fname);
-    chomp $hash;
-    chomp $fprint;
-    return if !$hash;
-    $fprint =~ s/^.*=//;
-    $fprint =~ tr/://d;
-    my $suffix = 0;
-    # Search for an unused hash filename
-    my $crlmark = $is_cert ? "" : "r";
-    while(exists $hashlist{"$hash.$crlmark$suffix"}) {
-        # Hash matches: if fingerprint matches its a duplicate cert
-        if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
-            my $what = $is_cert ? 'certificate' : 'CRL';
-            print STDERR "WARNING: Skipping duplicate $what $fname\n";
-            return;
-        }
-        $suffix++;
-    }
-    $hash .= ".$crlmark$suffix";
-    if ($symlink_exists) {
-        print "link $fname -> $hash\n" if $verbose;
-        symlink $fname, $hash || warn "Can't symlink, $!";
-    } else {
-        print "copy $fname -> $hash\n" if $verbose;
-        copy_file($fname, $hash);
-    }
-    $hashlist{$hash} = $fprint;
-}
--- a/deps/openssl/android/arm64-v8a/usr/local/bin/openssl
+++ b/deps/openssl/android/arm64-v8a/usr/local/bin/openssl
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/__DECC_INCLUDE_EPILOGUE.H
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/__DECC_INCLUDE_EPILOGUE.H
@ -0,0 +1,16 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * This file is only used by HP C on VMS, and is included automatically
+ * after each header file from this directory
+ */
+
+/* restore state.  Must correspond to the save in __decc_include_prologue.h */
+#pragma names restore
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/__DECC_INCLUDE_PROLOGUE.H
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/__DECC_INCLUDE_PROLOGUE.H
@ -0,0 +1,20 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * This file is only used by HP C on VMS, and is included automatically
+ * after each header file from this directory
+ */
+
+/* save state */
+#pragma names save
+/* have the compiler shorten symbols larger than 31 chars to 23 chars
+ * followed by a 8 hex char CRC
+ */
+#pragma names as_is,shortened
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/aria.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/aria.h
@ -0,0 +1,50 @@
+/*
+ * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2017, Oracle and/or its affiliates.  All rights reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+ /* Copyright (c) 2017 National Security Research Institute.  All rights reserved. */
+
+#ifndef OSSL_CRYPTO_ARIA_H
+# define OSSL_CRYPTO_ARIA_H
+
+# include <openssl/opensslconf.h>
+
+# ifdef OPENSSL_NO_ARIA
+#  error ARIA is disabled.
+# endif
+
+# define ARIA_ENCRYPT     1
+# define ARIA_DECRYPT     0
+
+# define ARIA_BLOCK_SIZE    16  /* Size of each encryption/decryption block */
+# define ARIA_MAX_KEYS      17  /* Number of keys needed in the worst case  */
+
+typedef union {
+    unsigned char c[ARIA_BLOCK_SIZE];
+    unsigned int u[ARIA_BLOCK_SIZE / sizeof(unsigned int)];
+} ARIA_u128;
+
+typedef unsigned char ARIA_c128[ARIA_BLOCK_SIZE];
+
+struct aria_key_st {
+    ARIA_u128 rd_key[ARIA_MAX_KEYS];
+    unsigned int rounds;
+};
+typedef struct aria_key_st ARIA_KEY;
+
+
+int aria_set_encrypt_key(const unsigned char *userKey, const int bits,
+                         ARIA_KEY *key);
+int aria_set_decrypt_key(const unsigned char *userKey, const int bits,
+                         ARIA_KEY *key);
+
+void aria_encrypt(const unsigned char *in, unsigned char *out,
+                  const ARIA_KEY *key);
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/asn1.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/asn1.h
@ -0,0 +1,113 @@
+/*
+ * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Internal ASN1 structures and functions: not for application use */
+
+/* ASN1 public key method structure */
+
+struct evp_pkey_asn1_method_st {
+    int pkey_id;
+    int pkey_base_id;
+    unsigned long pkey_flags;
+    char *pem_str;
+    char *info;
+    int (*pub_decode) (EVP_PKEY *pk, X509_PUBKEY *pub);
+    int (*pub_encode) (X509_PUBKEY *pub, const EVP_PKEY *pk);
+    int (*pub_cmp) (const EVP_PKEY *a, const EVP_PKEY *b);
+    int (*pub_print) (BIO *out, const EVP_PKEY *pkey, int indent,
+                      ASN1_PCTX *pctx);
+    int (*priv_decode) (EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf);
+    int (*priv_encode) (PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk);
+    int (*priv_print) (BIO *out, const EVP_PKEY *pkey, int indent,
+                       ASN1_PCTX *pctx);
+    int (*pkey_size) (const EVP_PKEY *pk);
+    int (*pkey_bits) (const EVP_PKEY *pk);
+    int (*pkey_security_bits) (const EVP_PKEY *pk);
+    int (*param_decode) (EVP_PKEY *pkey,
+                         const unsigned char **pder, int derlen);
+    int (*param_encode) (const EVP_PKEY *pkey, unsigned char **pder);
+    int (*param_missing) (const EVP_PKEY *pk);
+    int (*param_copy) (EVP_PKEY *to, const EVP_PKEY *from);
+    int (*param_cmp) (const EVP_PKEY *a, const EVP_PKEY *b);
+    int (*param_print) (BIO *out, const EVP_PKEY *pkey, int indent,
+                        ASN1_PCTX *pctx);
+    int (*sig_print) (BIO *out,
+                      const X509_ALGOR *sigalg, const ASN1_STRING *sig,
+                      int indent, ASN1_PCTX *pctx);
+    void (*pkey_free) (EVP_PKEY *pkey);
+    int (*pkey_ctrl) (EVP_PKEY *pkey, int op, long arg1, void *arg2);
+    /* Legacy functions for old PEM */
+    int (*old_priv_decode) (EVP_PKEY *pkey,
+                            const unsigned char **pder, int derlen);
+    int (*old_priv_encode) (const EVP_PKEY *pkey, unsigned char **pder);
+    /* Custom ASN1 signature verification */
+    int (*item_verify) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
+                        X509_ALGOR *a, ASN1_BIT_STRING *sig, EVP_PKEY *pkey);
+    int (*item_sign) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
+                      X509_ALGOR *alg1, X509_ALGOR *alg2,
+                      ASN1_BIT_STRING *sig);
+    int (*siginf_set) (X509_SIG_INFO *siginf, const X509_ALGOR *alg,
+                       const ASN1_STRING *sig);
+    /* Check */
+    int (*pkey_check) (const EVP_PKEY *pk);
+    int (*pkey_public_check) (const EVP_PKEY *pk);
+    int (*pkey_param_check) (const EVP_PKEY *pk);
+    /* Get/set raw private/public key data */
+    int (*set_priv_key) (EVP_PKEY *pk, const unsigned char *priv, size_t len);
+    int (*set_pub_key) (EVP_PKEY *pk, const unsigned char *pub, size_t len);
+    int (*get_priv_key) (const EVP_PKEY *pk, unsigned char *priv, size_t *len);
+    int (*get_pub_key) (const EVP_PKEY *pk, unsigned char *pub, size_t *len);
+} /* EVP_PKEY_ASN1_METHOD */ ;
+
+DEFINE_STACK_OF_CONST(EVP_PKEY_ASN1_METHOD)
+
+extern const EVP_PKEY_ASN1_METHOD cmac_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD dhx_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[5];
+extern const EVP_PKEY_ASN1_METHOD eckey_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD ecx25519_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD ecx448_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD ed448_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD sm2_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD poly1305_asn1_meth;
+
+extern const EVP_PKEY_ASN1_METHOD hmac_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[2];
+extern const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth;
+extern const EVP_PKEY_ASN1_METHOD siphash_asn1_meth;
+
+/*
+ * These are used internally in the ASN1_OBJECT to keep track of whether the
+ * names and data need to be free()ed
+ */
+# define ASN1_OBJECT_FLAG_DYNAMIC         0x01/* internal use */
+# define ASN1_OBJECT_FLAG_CRITICAL        0x02/* critical x509v3 object id */
+# define ASN1_OBJECT_FLAG_DYNAMIC_STRINGS 0x04/* internal use */
+# define ASN1_OBJECT_FLAG_DYNAMIC_DATA    0x08/* internal use */
+struct asn1_object_st {
+    const char *sn, *ln;
+    int nid;
+    int length;
+    const unsigned char *data;  /* data remains const after init */
+    int flags;                  /* Should we free this one */
+};
+
+/* ASN1 print context structure */
+
+struct asn1_pctx_st {
+    unsigned long flags;
+    unsigned long nm_flags;
+    unsigned long cert_flags;
+    unsigned long oid_flags;
+    unsigned long str_flags;
+} /* ASN1_PCTX */ ;
+
+int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb);
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/async.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/async.h
@ -0,0 +1,15 @@
+/*
+ * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/async.h>
+
+int async_init(void);
+void async_deinit(void);
+void async_delete_thread_state(void);
+
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/bn.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/bn.h
@ -0,0 +1,90 @@
+/*
+ * Copyright 2014-2023 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_BN_H
+# define OSSL_CRYPTO_BN_H
+
+# include <openssl/bn.h>
+# include <limits.h>
+
+BIGNUM *bn_wexpand(BIGNUM *a, int words);
+BIGNUM *bn_expand2(BIGNUM *a, int words);
+
+void bn_correct_top(BIGNUM *a);
+
+/*
+ * Determine the modified width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
+ * This is an array r[] of values that are either zero or odd with an
+ * absolute value less than 2^w satisfying scalar = \sum_j r[j]*2^j where at
+ * most one of any w+1 consecutive digits is non-zero with the exception that
+ * the most significant digit may be only w-1 zeros away from that next
+ * non-zero digit.
+ */
+signed char *bn_compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len);
+
+int bn_get_top(const BIGNUM *a);
+
+int bn_get_dmax(const BIGNUM *a);
+
+/* Set all words to zero */
+void bn_set_all_zero(BIGNUM *a);
+
+/*
+ * Copy the internal BIGNUM words into out which holds size elements (and size
+ * must be bigger than top)
+ */
+int bn_copy_words(BN_ULONG *out, const BIGNUM *in, int size);
+
+BN_ULONG *bn_get_words(const BIGNUM *a);
+
+/*
+ * Set the internal data words in a to point to words which contains size
+ * elements. The BN_FLG_STATIC_DATA flag is set
+ */
+void bn_set_static_words(BIGNUM *a, const BN_ULONG *words, int size);
+
+/*
+ * Copy words into the BIGNUM |a|, reallocating space as necessary.
+ * The negative flag of |a| is not modified.
+ * Returns 1 on success and 0 on failure.
+ */
+/*
+ * |num_words| is int because bn_expand2 takes an int. This is an internal
+ * function so we simply trust callers not to pass negative values.
+ */
+int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words);
+
+/*
+ * Some BIGNUM functions assume most significant limb to be non-zero, which
+ * is customarily arranged by bn_correct_top. Output from below functions
+ * is not processed with bn_correct_top, and for this reason it may not be
+ * returned out of public API. It may only be passed internally into other
+ * functions known to support non-minimal or zero-padded BIGNUMs. Even
+ * though the goal is to facilitate constant-time-ness, not each subroutine
+ * is constant-time by itself. They all have pre-conditions, consult source
+ * code...
+ */
+int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                          BN_MONT_CTX *mont, BN_CTX *ctx);
+int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
+                         BN_CTX *ctx);
+int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
+                           BN_CTX *ctx);
+int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                         const BIGNUM *m);
+int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                         const BIGNUM *m);
+int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
+int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
+int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
+int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
+                     const BIGNUM *d, BN_CTX *ctx);
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/bn_conf.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/bn_conf.h
@ -0,0 +1,28 @@
+/* WARNING: do not edit! */
+/* Generated by Makefile from include/crypto/bn_conf.h.in */
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_BN_CONF_H
+# define OSSL_CRYPTO_BN_CONF_H
+
+/*
+ * The contents of this file are not used in the UEFI build, as
+ * both 32-bit and 64-bit builds are supported from a single run
+ * of the Configure script.
+ */
+
+/* Should we define BN_DIV2W here? */
+
+/* Only one for the following should be defined */
+#define SIXTY_FOUR_BIT_LONG
+#undef SIXTY_FOUR_BIT
+#undef THIRTY_TWO_BIT
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/bn_conf.h.in
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/bn_conf.h.in
@ -0,0 +1,27 @@
+{- join("\n",map { "/* $_ */" } @autowarntext) -}
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_BN_CONF_H
+# define OSSL_CRYPTO_BN_CONF_H
+
+/*
+ * The contents of this file are not used in the UEFI build, as
+ * both 32-bit and 64-bit builds are supported from a single run
+ * of the Configure script.
+ */
+
+/* Should we define BN_DIV2W here? */
+
+/* Only one for the following should be defined */
+{- $config{b64l} ? "#define" : "#undef" -} SIXTY_FOUR_BIT_LONG
+{- $config{b64}  ? "#define" : "#undef" -} SIXTY_FOUR_BIT
+{- $config{b32}  ? "#define" : "#undef" -} THIRTY_TWO_BIT
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/bn_dh.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/bn_dh.h
@ -0,0 +1,24 @@
+/*
+ * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#define declare_dh_bn(x) \
+    extern const BIGNUM _bignum_dh##x##_p;              \
+    extern const BIGNUM _bignum_dh##x##_g;              \
+    extern const BIGNUM _bignum_dh##x##_q;
+
+declare_dh_bn(1024_160)
+declare_dh_bn(2048_224)
+declare_dh_bn(2048_256)
+
+extern const BIGNUM _bignum_ffdhe2048_p;
+extern const BIGNUM _bignum_ffdhe3072_p;
+extern const BIGNUM _bignum_ffdhe4096_p;
+extern const BIGNUM _bignum_ffdhe6144_p;
+extern const BIGNUM _bignum_ffdhe8192_p;
+extern const BIGNUM _bignum_const_2;
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/bn_srp.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/bn_srp.h
@ -0,0 +1,32 @@
+/*
+ * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OPENSSL_NO_SRP
+
+extern const BIGNUM bn_group_1024;
+
+extern const BIGNUM bn_group_1536;
+
+extern const BIGNUM bn_group_2048;
+
+extern const BIGNUM bn_group_3072;
+
+extern const BIGNUM bn_group_4096;
+
+extern const BIGNUM bn_group_6144;
+
+extern const BIGNUM bn_group_8192;
+
+extern const BIGNUM bn_generator_19;
+
+extern const BIGNUM bn_generator_5;
+
+extern const BIGNUM bn_generator_2;
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/chacha.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/chacha.h
@ -0,0 +1,42 @@
+/*
+ * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_CHACHA_H
+#define OSSL_CRYPTO_CHACHA_H
+
+#include <stddef.h>
+
+/*
+ * ChaCha20_ctr32 encrypts |len| bytes from |inp| with the given key and
+ * nonce and writes the result to |out|, which may be equal to |inp|.
+ * The |key| is not 32 bytes of verbatim key material though, but the
+ * said material collected into 8 32-bit elements array in host byte
+ * order. Same approach applies to nonce: the |counter| argument is
+ * pointer to concatenated nonce and counter values collected into 4
+ * 32-bit elements. This, passing crypto material collected into 32-bit
+ * elements as opposite to passing verbatim byte vectors, is chosen for
+ * efficiency in multi-call scenarios.
+ */
+void ChaCha20_ctr32(unsigned char *out, const unsigned char *inp,
+                    size_t len, const unsigned int key[8],
+                    const unsigned int counter[4]);
+/*
+ * You can notice that there is no key setup procedure. Because it's
+ * as trivial as collecting bytes into 32-bit elements, it's reckoned
+ * that below macro is sufficient.
+ */
+#define CHACHA_U8TOU32(p)  ( \
+                ((unsigned int)(p)[0])     | ((unsigned int)(p)[1]<<8) | \
+                ((unsigned int)(p)[2]<<16) | ((unsigned int)(p)[3]<<24)  )
+
+#define CHACHA_KEY_SIZE		32
+#define CHACHA_CTR_SIZE		16
+#define CHACHA_BLK_SIZE		64
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/cryptlib.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/cryptlib.h
@ -0,0 +1,35 @@
+/*
+ * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "internal/cryptlib.h"
+
+/* This file is not scanned by mkdef.pl, whereas cryptlib.h is */
+
+struct thread_local_inits_st {
+    int async;
+    int err_state;
+    int rand;
+};
+
+int ossl_init_thread_start(uint64_t opts);
+
+/*
+ * OPENSSL_INIT flags. The primary list of these is in crypto.h. Flags below
+ * are those omitted from crypto.h because they are "reserved for internal
+ * use".
+ */
+# define OPENSSL_INIT_ZLIB                   0x00010000L
+# define OPENSSL_INIT_BASE_ONLY              0x00040000L
+
+/* OPENSSL_INIT_THREAD flags */
+# define OPENSSL_INIT_THREAD_ASYNC           0x01
+# define OPENSSL_INIT_THREAD_ERR_STATE       0x02
+# define OPENSSL_INIT_THREAD_RAND            0x04
+
+void ossl_malloc_setup_failures(void);
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/ctype.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/ctype.h
@ -0,0 +1,82 @@
+/*
+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * This version of ctype.h provides a standardised and platform
+ * independent implementation that supports seven bit ASCII characters.
+ * The specific intent is to not pass extended ASCII characters (> 127)
+ * even if the host operating system would.
+ *
+ * There is EBCDIC support included for machines which use this.  However,
+ * there are a number of concerns about how well EBCDIC is supported
+ * throughout the rest of the source code.  Refer to issue #4154 for
+ * details.
+ */
+#ifndef OSSL_CRYPTO_CTYPE_H
+# define OSSL_CRYPTO_CTYPE_H
+
+# define CTYPE_MASK_lower       0x1
+# define CTYPE_MASK_upper       0x2
+# define CTYPE_MASK_digit       0x4
+# define CTYPE_MASK_space       0x8
+# define CTYPE_MASK_xdigit      0x10
+# define CTYPE_MASK_blank       0x20
+# define CTYPE_MASK_cntrl       0x40
+# define CTYPE_MASK_graph       0x80
+# define CTYPE_MASK_print       0x100
+# define CTYPE_MASK_punct       0x200
+# define CTYPE_MASK_base64      0x400
+# define CTYPE_MASK_asn1print   0x800
+
+# define CTYPE_MASK_alpha   (CTYPE_MASK_lower | CTYPE_MASK_upper)
+# define CTYPE_MASK_alnum   (CTYPE_MASK_alpha | CTYPE_MASK_digit)
+
+/*
+ * The ascii mask assumes that any other classification implies that
+ * the character is ASCII and that there are no ASCII characters
+ * that aren't in any of the classifications.
+ *
+ * This assumption holds at the moment, but it might not in the future.
+ */
+# define CTYPE_MASK_ascii   (~0)
+
+# ifdef CHARSET_EBCDIC
+int ossl_toascii(int c);
+int ossl_fromascii(int c);
+# else
+#  define ossl_toascii(c)       (c)
+#  define ossl_fromascii(c)     (c)
+# endif
+int ossl_ctype_check(int c, unsigned int mask);
+int ossl_tolower(int c);
+int ossl_toupper(int c);
+
+int ascii_isdigit(const char inchar);
+
+# define ossl_isalnum(c)        (ossl_ctype_check((c), CTYPE_MASK_alnum))
+# define ossl_isalpha(c)        (ossl_ctype_check((c), CTYPE_MASK_alpha))
+# ifdef CHARSET_EBCDIC
+# define ossl_isascii(c)        (ossl_ctype_check((c), CTYPE_MASK_ascii))
+# else
+# define ossl_isascii(c)        (((c) & ~127) == 0)
+# endif
+# define ossl_isblank(c)        (ossl_ctype_check((c), CTYPE_MASK_blank))
+# define ossl_iscntrl(c)        (ossl_ctype_check((c), CTYPE_MASK_cntrl))
+# define ossl_isdigit(c)        (ossl_ctype_check((c), CTYPE_MASK_digit))
+# define ossl_isgraph(c)        (ossl_ctype_check((c), CTYPE_MASK_graph))
+# define ossl_islower(c)        (ossl_ctype_check((c), CTYPE_MASK_lower))
+# define ossl_isprint(c)        (ossl_ctype_check((c), CTYPE_MASK_print))
+# define ossl_ispunct(c)        (ossl_ctype_check((c), CTYPE_MASK_punct))
+# define ossl_isspace(c)        (ossl_ctype_check((c), CTYPE_MASK_space))
+# define ossl_isupper(c)        (ossl_ctype_check((c), CTYPE_MASK_upper))
+# define ossl_isxdigit(c)       (ossl_ctype_check((c), CTYPE_MASK_xdigit))
+# define ossl_isbase64(c)       (ossl_ctype_check((c), CTYPE_MASK_base64))
+# define ossl_isasn1print(c)    (ossl_ctype_check((c), CTYPE_MASK_asn1print))
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/dso_conf.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/dso_conf.h
@ -0,0 +1,17 @@
+/* WARNING: do not edit! */
+/* Generated by Makefile from include/crypto/dso_conf.h.in */
+/*
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_DSO_CONF_H
+# define OSSL_CRYPTO_DSO_CONF_H
+# define DSO_DLFCN
+# define HAVE_DLFCN_H
+# define DSO_EXTENSION ".so"
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/dso_conf.h.in
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/dso_conf.h.in
@ -0,0 +1,31 @@
+{- join("\n",map { "/* $_ */" } @autowarntext) -}
+/*
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_DSO_CONF_H
+# define OSSL_CRYPTO_DSO_CONF_H
+{-  # The DSO code currently always implements all functions so that no
+    # applications will have to worry about that from a compilation point
+    # of view. However, the "method"s may return zero unless that platform
+    # has support compiled in for them. Currently each method is enabled
+    # by a define "DSO_<name>" ... we translate the "dso_scheme" config
+    # string entry into using the following logic;
+    my $scheme = $disabled{dso} ? undef : uc $target{dso_scheme};
+    if (!$scheme) {
+        $scheme = "NONE";
+    }
+    my @macros = ( "DSO_$scheme" );
+    if ($scheme eq 'DLFCN') {
+        @macros = ( "DSO_DLFCN", "HAVE_DLFCN_H" );
+    } elsif ($scheme eq "DLFCN_NO_H") {
+        @macros = ( "DSO_DLFCN" );
+    }
+    join("\n", map { "# define $_" } @macros); -}
+# define DSO_EXTENSION "{- $target{dso_extension} -}"
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/ec.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/ec.h
@ -0,0 +1,53 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* Internal EC functions for other submodules: not for application use */
+
+#ifndef OSSL_CRYPTO_EC_H
+# define OSSL_CRYPTO_EC_H
+# include <openssl/opensslconf.h>
+
+# ifndef OPENSSL_NO_EC
+
+#  include <openssl/ec.h>
+
+/*-
+ * Computes the multiplicative inverse of x in the range
+ * [1,EC_GROUP::order), where EC_GROUP::order is the cardinality of the
+ * subgroup generated by the generator G:
+ *
+ *         res := x^(-1) (mod EC_GROUP::order).
+ *
+ * This function expects the following two conditions to hold:
+ *  - the EC_GROUP order is prime, and
+ *  - x is included in the range [1, EC_GROUP::order).
+ *
+ * This function returns 1 on success, 0 on error.
+ *
+ * If the EC_GROUP order is even, this function explicitly returns 0 as
+ * an error.
+ * In case any of the two conditions stated above is not satisfied,
+ * the correctness of its output is not guaranteed, even if the return
+ * value could still be 1 (as primality testing and a conditional modular
+ * reduction round on the input can be omitted by the underlying
+ * implementations for better SCA properties on regular input values).
+ */
+__owur int ec_group_do_inverse_ord(const EC_GROUP *group, BIGNUM *res,
+                                   const BIGNUM *x, BN_CTX *ctx);
+
+/*-
+ * ECDH Key Derivation Function as defined in ANSI X9.63
+ */
+int ecdh_KDF_X9_63(unsigned char *out, size_t outlen,
+                   const unsigned char *Z, size_t Zlen,
+                   const unsigned char *sinfo, size_t sinfolen,
+                   const EVP_MD *md);
+
+# endif /* OPENSSL_NO_EC */
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/engine.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/engine.h
@ -0,0 +1,20 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/engine.h>
+
+void engine_load_openssl_int(void);
+void engine_load_devcrypto_int(void);
+void engine_load_rdrand_int(void);
+void engine_load_dynamic_int(void);
+void engine_load_padlock_int(void);
+void engine_load_capi_int(void);
+void engine_load_dasync_int(void);
+void engine_load_afalg_int(void);
+void engine_cleanup_int(void);
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/err.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/err.h
@ -0,0 +1,19 @@
+/*
+ * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_ERR_H
+# define OSSL_CRYPTO_ERR_H
+
+int err_load_crypto_strings_int(void);
+void err_cleanup(void);
+void err_delete_thread_state(void);
+int err_shelve_state(void **);
+void err_unshelve_state(void *);
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/evp.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/evp.h
@ -0,0 +1,442 @@
+/*
+ * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/evp.h>
+#include "internal/refcount.h"
+
+/*
+ * Don't free up md_ctx->pctx in EVP_MD_CTX_reset, use the reserved flag
+ * values in evp.h
+ */
+#define EVP_MD_CTX_FLAG_KEEP_PKEY_CTX   0x0400
+
+struct evp_pkey_ctx_st {
+    /* Method associated with this operation */
+    const EVP_PKEY_METHOD *pmeth;
+    /* Engine that implements this method or NULL if builtin */
+    ENGINE *engine;
+    /* Key: may be NULL */
+    EVP_PKEY *pkey;
+    /* Peer key for key agreement, may be NULL */
+    EVP_PKEY *peerkey;
+    /* Actual operation */
+    int operation;
+    /* Algorithm specific data */
+    void *data;
+    /* Application specific data */
+    void *app_data;
+    /* Keygen callback */
+    EVP_PKEY_gen_cb *pkey_gencb;
+    /* implementation specific keygen data */
+    int *keygen_info;
+    int keygen_info_count;
+} /* EVP_PKEY_CTX */ ;
+
+#define EVP_PKEY_FLAG_DYNAMIC   1
+
+struct evp_pkey_method_st {
+    int pkey_id;
+    int flags;
+    int (*init) (EVP_PKEY_CTX *ctx);
+    int (*copy) (EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src);
+    void (*cleanup) (EVP_PKEY_CTX *ctx);
+    int (*paramgen_init) (EVP_PKEY_CTX *ctx);
+    int (*paramgen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
+    int (*keygen_init) (EVP_PKEY_CTX *ctx);
+    int (*keygen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
+    int (*sign_init) (EVP_PKEY_CTX *ctx);
+    int (*sign) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
+                 const unsigned char *tbs, size_t tbslen);
+    int (*verify_init) (EVP_PKEY_CTX *ctx);
+    int (*verify) (EVP_PKEY_CTX *ctx,
+                   const unsigned char *sig, size_t siglen,
+                   const unsigned char *tbs, size_t tbslen);
+    int (*verify_recover_init) (EVP_PKEY_CTX *ctx);
+    int (*verify_recover) (EVP_PKEY_CTX *ctx,
+                           unsigned char *rout, size_t *routlen,
+                           const unsigned char *sig, size_t siglen);
+    int (*signctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
+    int (*signctx) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
+                    EVP_MD_CTX *mctx);
+    int (*verifyctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
+    int (*verifyctx) (EVP_PKEY_CTX *ctx, const unsigned char *sig, int siglen,
+                      EVP_MD_CTX *mctx);
+    int (*encrypt_init) (EVP_PKEY_CTX *ctx);
+    int (*encrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
+                    const unsigned char *in, size_t inlen);
+    int (*decrypt_init) (EVP_PKEY_CTX *ctx);
+    int (*decrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
+                    const unsigned char *in, size_t inlen);
+    int (*derive_init) (EVP_PKEY_CTX *ctx);
+    int (*derive) (EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
+    int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
+    int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value);
+    int (*digestsign) (EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen,
+                       const unsigned char *tbs, size_t tbslen);
+    int (*digestverify) (EVP_MD_CTX *ctx, const unsigned char *sig,
+                         size_t siglen, const unsigned char *tbs,
+                         size_t tbslen);
+    int (*check) (EVP_PKEY *pkey);
+    int (*public_check) (EVP_PKEY *pkey);
+    int (*param_check) (EVP_PKEY *pkey);
+
+    int (*digest_custom) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
+} /* EVP_PKEY_METHOD */ ;
+
+DEFINE_STACK_OF_CONST(EVP_PKEY_METHOD)
+
+void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx);
+
+extern const EVP_PKEY_METHOD cmac_pkey_meth;
+extern const EVP_PKEY_METHOD dh_pkey_meth;
+extern const EVP_PKEY_METHOD dhx_pkey_meth;
+extern const EVP_PKEY_METHOD dsa_pkey_meth;
+extern const EVP_PKEY_METHOD ec_pkey_meth;
+extern const EVP_PKEY_METHOD sm2_pkey_meth;
+extern const EVP_PKEY_METHOD ecx25519_pkey_meth;
+extern const EVP_PKEY_METHOD ecx448_pkey_meth;
+extern const EVP_PKEY_METHOD ed25519_pkey_meth;
+extern const EVP_PKEY_METHOD ed448_pkey_meth;
+extern const EVP_PKEY_METHOD hmac_pkey_meth;
+extern const EVP_PKEY_METHOD rsa_pkey_meth;
+extern const EVP_PKEY_METHOD rsa_pss_pkey_meth;
+extern const EVP_PKEY_METHOD scrypt_pkey_meth;
+extern const EVP_PKEY_METHOD tls1_prf_pkey_meth;
+extern const EVP_PKEY_METHOD hkdf_pkey_meth;
+extern const EVP_PKEY_METHOD poly1305_pkey_meth;
+extern const EVP_PKEY_METHOD siphash_pkey_meth;
+
+struct evp_md_st {
+    int type;
+    int pkey_type;
+    int md_size;
+    unsigned long flags;
+    int (*init) (EVP_MD_CTX *ctx);
+    int (*update) (EVP_MD_CTX *ctx, const void *data, size_t count);
+    int (*final) (EVP_MD_CTX *ctx, unsigned char *md);
+    int (*copy) (EVP_MD_CTX *to, const EVP_MD_CTX *from);
+    int (*cleanup) (EVP_MD_CTX *ctx);
+    int block_size;
+    int ctx_size;               /* how big does the ctx->md_data need to be */
+    /* control function */
+    int (*md_ctrl) (EVP_MD_CTX *ctx, int cmd, int p1, void *p2);
+} /* EVP_MD */ ;
+
+struct evp_cipher_st {
+    int nid;
+    int block_size;
+    /* Default value for variable length ciphers */
+    int key_len;
+    int iv_len;
+    /* Various flags */
+    unsigned long flags;
+    /* init key */
+    int (*init) (EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                 const unsigned char *iv, int enc);
+    /* encrypt/decrypt data */
+    int (*do_cipher) (EVP_CIPHER_CTX *ctx, unsigned char *out,
+                      const unsigned char *in, size_t inl);
+    /* cleanup ctx */
+    int (*cleanup) (EVP_CIPHER_CTX *);
+    /* how big ctx->cipher_data needs to be */
+    int ctx_size;
+    /* Populate a ASN1_TYPE with parameters */
+    int (*set_asn1_parameters) (EVP_CIPHER_CTX *, ASN1_TYPE *);
+    /* Get parameters from a ASN1_TYPE */
+    int (*get_asn1_parameters) (EVP_CIPHER_CTX *, ASN1_TYPE *);
+    /* Miscellaneous operations */
+    int (*ctrl) (EVP_CIPHER_CTX *, int type, int arg, void *ptr);
+    /* Application data */
+    void *app_data;
+} /* EVP_CIPHER */ ;
+
+/* Macros to code block cipher wrappers */
+
+/* Wrapper functions for each cipher mode */
+
+#define EVP_C_DATA(kstruct, ctx) \
+        ((kstruct *)EVP_CIPHER_CTX_get_cipher_data(ctx))
+
+#define BLOCK_CIPHER_ecb_loop() \
+        size_t i, bl; \
+        bl = EVP_CIPHER_CTX_cipher(ctx)->block_size;    \
+        if (inl < bl) return 1;\
+        inl -= bl; \
+        for (i=0; i <= inl; i+=bl)
+
+#define BLOCK_CIPHER_func_ecb(cname, cprefix, kstruct, ksched) \
+static int cname##_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \
+{\
+        BLOCK_CIPHER_ecb_loop() \
+            cprefix##_ecb_encrypt(in + i, out + i, &EVP_C_DATA(kstruct,ctx)->ksched, EVP_CIPHER_CTX_encrypting(ctx)); \
+        return 1;\
+}
+
+#define EVP_MAXCHUNK ((size_t)1<<(sizeof(long)*8-2))
+
+#define BLOCK_CIPHER_func_ofb(cname, cprefix, cbits, kstruct, ksched) \
+    static int cname##_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \
+{\
+        while(inl>=EVP_MAXCHUNK) {\
+            int num = EVP_CIPHER_CTX_num(ctx);\
+            cprefix##_ofb##cbits##_encrypt(in, out, (long)EVP_MAXCHUNK, &EVP_C_DATA(kstruct,ctx)->ksched, EVP_CIPHER_CTX_iv_noconst(ctx), &num); \
+            EVP_CIPHER_CTX_set_num(ctx, num);\
+            inl-=EVP_MAXCHUNK;\
+            in +=EVP_MAXCHUNK;\
+            out+=EVP_MAXCHUNK;\
+        }\
+        if (inl) {\
+            int num = EVP_CIPHER_CTX_num(ctx);\
+            cprefix##_ofb##cbits##_encrypt(in, out, (long)inl, &EVP_C_DATA(kstruct,ctx)->ksched, EVP_CIPHER_CTX_iv_noconst(ctx), &num); \
+            EVP_CIPHER_CTX_set_num(ctx, num);\
+        }\
+        return 1;\
+}
+
+#define BLOCK_CIPHER_func_cbc(cname, cprefix, kstruct, ksched) \
+static int cname##_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \
+{\
+        while(inl>=EVP_MAXCHUNK) \
+            {\
+            cprefix##_cbc_encrypt(in, out, (long)EVP_MAXCHUNK, &EVP_C_DATA(kstruct,ctx)->ksched, EVP_CIPHER_CTX_iv_noconst(ctx), EVP_CIPHER_CTX_encrypting(ctx));\
+            inl-=EVP_MAXCHUNK;\
+            in +=EVP_MAXCHUNK;\
+            out+=EVP_MAXCHUNK;\
+            }\
+        if (inl)\
+            cprefix##_cbc_encrypt(in, out, (long)inl, &EVP_C_DATA(kstruct,ctx)->ksched, EVP_CIPHER_CTX_iv_noconst(ctx), EVP_CIPHER_CTX_encrypting(ctx));\
+        return 1;\
+}
+
+#define BLOCK_CIPHER_func_cfb(cname, cprefix, cbits, kstruct, ksched)  \
+static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \
+{\
+    size_t chunk = EVP_MAXCHUNK;\
+    if (cbits == 1)  chunk >>= 3;\
+    if (inl < chunk) chunk = inl;\
+    while (inl && inl >= chunk)\
+    {\
+        int num = EVP_CIPHER_CTX_num(ctx);\
+        cprefix##_cfb##cbits##_encrypt(in, out, (long) \
+            ((cbits == 1) \
+                && !EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS) \
+                ? chunk*8 : chunk), \
+            &EVP_C_DATA(kstruct, ctx)->ksched, EVP_CIPHER_CTX_iv_noconst(ctx),\
+            &num, EVP_CIPHER_CTX_encrypting(ctx));\
+        EVP_CIPHER_CTX_set_num(ctx, num);\
+        inl -= chunk;\
+        in += chunk;\
+        out += chunk;\
+        if (inl < chunk) chunk = inl;\
+    }\
+    return 1;\
+}
+
+#define BLOCK_CIPHER_all_funcs(cname, cprefix, cbits, kstruct, ksched) \
+        BLOCK_CIPHER_func_cbc(cname, cprefix, kstruct, ksched) \
+        BLOCK_CIPHER_func_cfb(cname, cprefix, cbits, kstruct, ksched) \
+        BLOCK_CIPHER_func_ecb(cname, cprefix, kstruct, ksched) \
+        BLOCK_CIPHER_func_ofb(cname, cprefix, cbits, kstruct, ksched)
+
+#define BLOCK_CIPHER_def1(cname, nmode, mode, MODE, kstruct, nid, block_size, \
+                          key_len, iv_len, flags, init_key, cleanup, \
+                          set_asn1, get_asn1, ctrl) \
+static const EVP_CIPHER cname##_##mode = { \
+        nid##_##nmode, block_size, key_len, iv_len, \
+        flags | EVP_CIPH_##MODE##_MODE, \
+        init_key, \
+        cname##_##mode##_cipher, \
+        cleanup, \
+        sizeof(kstruct), \
+        set_asn1, get_asn1,\
+        ctrl, \
+        NULL \
+}; \
+const EVP_CIPHER *EVP_##cname##_##mode(void) { return &cname##_##mode; }
+
+#define BLOCK_CIPHER_def_cbc(cname, kstruct, nid, block_size, key_len, \
+                             iv_len, flags, init_key, cleanup, set_asn1, \
+                             get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \
+                  iv_len, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+#define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \
+                             iv_len, cbits, flags, init_key, cleanup, \
+                             set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \
+                  key_len, iv_len, flags, init_key, cleanup, set_asn1, \
+                  get_asn1, ctrl)
+
+#define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, \
+                             iv_len, cbits, flags, init_key, cleanup, \
+                             set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, ofb##cbits, ofb, OFB, kstruct, nid, 1, \
+                  key_len, iv_len, flags, init_key, cleanup, set_asn1, \
+                  get_asn1, ctrl)
+
+#define BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, \
+                             flags, init_key, cleanup, set_asn1, \
+                             get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, ecb, ecb, ECB, kstruct, nid, block_size, key_len, \
+                  0, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+#define BLOCK_CIPHER_defs(cname, kstruct, \
+                          nid, block_size, key_len, iv_len, cbits, flags, \
+                          init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_cbc(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
+                     init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, iv_len, cbits, \
+                     flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, iv_len, cbits, \
+                     flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, flags, \
+                     init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+/*-
+#define BLOCK_CIPHER_defs(cname, kstruct, \
+                                nid, block_size, key_len, iv_len, flags,\
+                                 init_key, cleanup, set_asn1, get_asn1, ctrl)\
+static const EVP_CIPHER cname##_cbc = {\
+        nid##_cbc, block_size, key_len, iv_len, \
+        flags | EVP_CIPH_CBC_MODE,\
+        init_key,\
+        cname##_cbc_cipher,\
+        cleanup,\
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+        set_asn1, get_asn1,\
+        ctrl, \
+        NULL \
+};\
+const EVP_CIPHER *EVP_##cname##_cbc(void) { return &cname##_cbc; }\
+static const EVP_CIPHER cname##_cfb = {\
+        nid##_cfb64, 1, key_len, iv_len, \
+        flags | EVP_CIPH_CFB_MODE,\
+        init_key,\
+        cname##_cfb_cipher,\
+        cleanup,\
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+        set_asn1, get_asn1,\
+        ctrl,\
+        NULL \
+};\
+const EVP_CIPHER *EVP_##cname##_cfb(void) { return &cname##_cfb; }\
+static const EVP_CIPHER cname##_ofb = {\
+        nid##_ofb64, 1, key_len, iv_len, \
+        flags | EVP_CIPH_OFB_MODE,\
+        init_key,\
+        cname##_ofb_cipher,\
+        cleanup,\
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+        set_asn1, get_asn1,\
+        ctrl,\
+        NULL \
+};\
+const EVP_CIPHER *EVP_##cname##_ofb(void) { return &cname##_ofb; }\
+static const EVP_CIPHER cname##_ecb = {\
+        nid##_ecb, block_size, key_len, iv_len, \
+        flags | EVP_CIPH_ECB_MODE,\
+        init_key,\
+        cname##_ecb_cipher,\
+        cleanup,\
+        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+                sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+        set_asn1, get_asn1,\
+        ctrl,\
+        NULL \
+};\
+const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
+*/
+
+#define IMPLEMENT_BLOCK_CIPHER(cname, ksched, cprefix, kstruct, nid, \
+                               block_size, key_len, iv_len, cbits, \
+                               flags, init_key, \
+                               cleanup, set_asn1, get_asn1, ctrl) \
+        BLOCK_CIPHER_all_funcs(cname, cprefix, cbits, kstruct, ksched) \
+        BLOCK_CIPHER_defs(cname, kstruct, nid, block_size, key_len, iv_len, \
+                          cbits, flags, init_key, cleanup, set_asn1, \
+                          get_asn1, ctrl)
+
+#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len,fl) \
+        BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
+        BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
+                             NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
+                             (fl)|EVP_CIPH_FLAG_DEFAULT_ASN1, \
+                             cipher##_init_key, NULL, NULL, NULL, NULL)
+
+
+# ifndef OPENSSL_NO_EC
+
+#define X25519_KEYLEN        32
+#define X448_KEYLEN          56
+#define ED448_KEYLEN         57
+
+#define MAX_KEYLEN  ED448_KEYLEN
+
+typedef struct {
+    unsigned char pubkey[MAX_KEYLEN];
+    unsigned char *privkey;
+} ECX_KEY;
+
+#endif
+
+/*
+ * Type needs to be a bit field Sub-type needs to be for variations on the
+ * method, as in, can it do arbitrary encryption....
+ */
+struct evp_pkey_st {
+    int type;
+    int save_type;
+    CRYPTO_REF_COUNT references;
+    const EVP_PKEY_ASN1_METHOD *ameth;
+    ENGINE *engine;
+    ENGINE *pmeth_engine; /* If not NULL public key ENGINE to use */
+    union {
+        void *ptr;
+# ifndef OPENSSL_NO_RSA
+        struct rsa_st *rsa;     /* RSA */
+# endif
+# ifndef OPENSSL_NO_DSA
+        struct dsa_st *dsa;     /* DSA */
+# endif
+# ifndef OPENSSL_NO_DH
+        struct dh_st *dh;       /* DH */
+# endif
+# ifndef OPENSSL_NO_EC
+        struct ec_key_st *ec;   /* ECC */
+        ECX_KEY *ecx;           /* X25519, X448, Ed25519, Ed448 */
+# endif
+    } pkey;
+    int save_parameters;
+    STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
+    CRYPTO_RWLOCK *lock;
+} /* EVP_PKEY */ ;
+
+
+void openssl_add_all_ciphers_int(void);
+void openssl_add_all_digests_int(void);
+void evp_cleanup_int(void);
+void evp_app_cleanup_int(void);
+
+/* Pulling defines out of C source files */
+
+#define EVP_RC4_KEY_SIZE 16
+#ifndef TLS1_1_VERSION
+# define TLS1_1_VERSION   0x0302
+#endif
+
+void evp_encode_ctx_set_flags(EVP_ENCODE_CTX *ctx, unsigned int flags);
+
+/* EVP_ENCODE_CTX flags */
+/* Don't generate new lines when encoding */
+#define EVP_ENCODE_CTX_NO_NEWLINES          1
+/* Use the SRP base64 alphabet instead of the standard one */
+#define EVP_ENCODE_CTX_USE_SRP_ALPHABET     2
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/lhash.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/lhash.h
@ -0,0 +1,15 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_LHASH_H
+# define OSSL_CRYPTO_LHASH_H
+
+unsigned long openssl_lh_strcasehash(const char *);
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/md32_common.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/md32_common.h
@ -0,0 +1,256 @@
+/*
+ * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*-
+ * This is a generic 32 bit "collector" for message digest algorithms.
+ * Whenever needed it collects input character stream into chunks of
+ * 32 bit values and invokes a block function that performs actual hash
+ * calculations.
+ *
+ * Porting guide.
+ *
+ * Obligatory macros:
+ *
+ * DATA_ORDER_IS_BIG_ENDIAN or DATA_ORDER_IS_LITTLE_ENDIAN
+ *      this macro defines byte order of input stream.
+ * HASH_CBLOCK
+ *      size of a unit chunk HASH_BLOCK operates on.
+ * HASH_LONG
+ *      has to be at least 32 bit wide.
+ * HASH_CTX
+ *      context structure that at least contains following
+ *      members:
+ *              typedef struct {
+ *                      ...
+ *                      HASH_LONG       Nl,Nh;
+ *                      either {
+ *                      HASH_LONG       data[HASH_LBLOCK];
+ *                      unsigned char   data[HASH_CBLOCK];
+ *                      };
+ *                      unsigned int    num;
+ *                      ...
+ *                      } HASH_CTX;
+ *      data[] vector is expected to be zeroed upon first call to
+ *      HASH_UPDATE.
+ * HASH_UPDATE
+ *      name of "Update" function, implemented here.
+ * HASH_TRANSFORM
+ *      name of "Transform" function, implemented here.
+ * HASH_FINAL
+ *      name of "Final" function, implemented here.
+ * HASH_BLOCK_DATA_ORDER
+ *      name of "block" function capable of treating *unaligned* input
+ *      message in original (data) byte order, implemented externally.
+ * HASH_MAKE_STRING
+ *      macro converting context variables to an ASCII hash string.
+ *
+ * MD5 example:
+ *
+ *      #define DATA_ORDER_IS_LITTLE_ENDIAN
+ *
+ *      #define HASH_LONG               MD5_LONG
+ *      #define HASH_CTX                MD5_CTX
+ *      #define HASH_CBLOCK             MD5_CBLOCK
+ *      #define HASH_UPDATE             MD5_Update
+ *      #define HASH_TRANSFORM          MD5_Transform
+ *      #define HASH_FINAL              MD5_Final
+ *      #define HASH_BLOCK_DATA_ORDER   md5_block_data_order
+ */
+
+#include <openssl/crypto.h>
+
+#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+# error "DATA_ORDER must be defined!"
+#endif
+
+#ifndef HASH_CBLOCK
+# error "HASH_CBLOCK must be defined!"
+#endif
+#ifndef HASH_LONG
+# error "HASH_LONG must be defined!"
+#endif
+#ifndef HASH_CTX
+# error "HASH_CTX must be defined!"
+#endif
+
+#ifndef HASH_UPDATE
+# error "HASH_UPDATE must be defined!"
+#endif
+#ifndef HASH_TRANSFORM
+# error "HASH_TRANSFORM must be defined!"
+#endif
+#ifndef HASH_FINAL
+# error "HASH_FINAL must be defined!"
+#endif
+
+#ifndef HASH_BLOCK_DATA_ORDER
+# error "HASH_BLOCK_DATA_ORDER must be defined!"
+#endif
+
+#define ROTATE(a,n)     (((a)<<(n))|(((a)&0xffffffff)>>(32-(n))))
+
+#if defined(DATA_ORDER_IS_BIG_ENDIAN)
+
+# define HOST_c2l(c,l)  (l =(((unsigned long)(*((c)++)))<<24),          \
+                         l|=(((unsigned long)(*((c)++)))<<16),          \
+                         l|=(((unsigned long)(*((c)++)))<< 8),          \
+                         l|=(((unsigned long)(*((c)++)))    )           )
+# define HOST_l2c(l,c)  (*((c)++)=(unsigned char)(((l)>>24)&0xff),      \
+                         *((c)++)=(unsigned char)(((l)>>16)&0xff),      \
+                         *((c)++)=(unsigned char)(((l)>> 8)&0xff),      \
+                         *((c)++)=(unsigned char)(((l)    )&0xff),      \
+                         l)
+
+#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+
+# define HOST_c2l(c,l)  (l =(((unsigned long)(*((c)++)))    ),          \
+                         l|=(((unsigned long)(*((c)++)))<< 8),          \
+                         l|=(((unsigned long)(*((c)++)))<<16),          \
+                         l|=(((unsigned long)(*((c)++)))<<24)           )
+# define HOST_l2c(l,c)  (*((c)++)=(unsigned char)(((l)    )&0xff),      \
+                         *((c)++)=(unsigned char)(((l)>> 8)&0xff),      \
+                         *((c)++)=(unsigned char)(((l)>>16)&0xff),      \
+                         *((c)++)=(unsigned char)(((l)>>24)&0xff),      \
+                         l)
+
+#endif
+
+/*
+ * Time for some action :-)
+ */
+
+int HASH_UPDATE(HASH_CTX *c, const void *data_, size_t len)
+{
+    const unsigned char *data = data_;
+    unsigned char *p;
+    HASH_LONG l;
+    size_t n;
+
+    if (len == 0)
+        return 1;
+
+    l = (c->Nl + (((HASH_LONG) len) << 3)) & 0xffffffffUL;
+    if (l < c->Nl)              /* overflow */
+        c->Nh++;
+    c->Nh += (HASH_LONG) (len >> 29); /* might cause compiler warning on
+                                       * 16-bit */
+    c->Nl = l;
+
+    n = c->num;
+    if (n != 0) {
+        p = (unsigned char *)c->data;
+
+        if (len >= HASH_CBLOCK || len + n >= HASH_CBLOCK) {
+            memcpy(p + n, data, HASH_CBLOCK - n);
+            HASH_BLOCK_DATA_ORDER(c, p, 1);
+            n = HASH_CBLOCK - n;
+            data += n;
+            len -= n;
+            c->num = 0;
+            /*
+             * We use memset rather than OPENSSL_cleanse() here deliberately.
+             * Using OPENSSL_cleanse() here could be a performance issue. It
+             * will get properly cleansed on finalisation so this isn't a
+             * security problem.
+             */
+            memset(p, 0, HASH_CBLOCK); /* keep it zeroed */
+        } else {
+            memcpy(p + n, data, len);
+            c->num += (unsigned int)len;
+            return 1;
+        }
+    }
+
+    n = len / HASH_CBLOCK;
+    if (n > 0) {
+        HASH_BLOCK_DATA_ORDER(c, data, n);
+        n *= HASH_CBLOCK;
+        data += n;
+        len -= n;
+    }
+
+    if (len != 0) {
+        p = (unsigned char *)c->data;
+        c->num = (unsigned int)len;
+        memcpy(p, data, len);
+    }
+    return 1;
+}
+
+void HASH_TRANSFORM(HASH_CTX *c, const unsigned char *data)
+{
+    HASH_BLOCK_DATA_ORDER(c, data, 1);
+}
+
+int HASH_FINAL(unsigned char *md, HASH_CTX *c)
+{
+    unsigned char *p = (unsigned char *)c->data;
+    size_t n = c->num;
+
+    p[n] = 0x80;                /* there is always room for one */
+    n++;
+
+    if (n > (HASH_CBLOCK - 8)) {
+        memset(p + n, 0, HASH_CBLOCK - n);
+        n = 0;
+        HASH_BLOCK_DATA_ORDER(c, p, 1);
+    }
+    memset(p + n, 0, HASH_CBLOCK - 8 - n);
+
+    p += HASH_CBLOCK - 8;
+#if   defined(DATA_ORDER_IS_BIG_ENDIAN)
+    (void)HOST_l2c(c->Nh, p);
+    (void)HOST_l2c(c->Nl, p);
+#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
+    (void)HOST_l2c(c->Nl, p);
+    (void)HOST_l2c(c->Nh, p);
+#endif
+    p -= HASH_CBLOCK;
+    HASH_BLOCK_DATA_ORDER(c, p, 1);
+    c->num = 0;
+    OPENSSL_cleanse(p, HASH_CBLOCK);
+
+#ifndef HASH_MAKE_STRING
+# error "HASH_MAKE_STRING must be defined!"
+#else
+    HASH_MAKE_STRING(c, md);
+#endif
+
+    return 1;
+}
+
+#ifndef MD32_REG_T
+# if defined(__alpha) || defined(__sparcv9) || defined(__mips)
+#  define MD32_REG_T long
+/*
+ * This comment was originally written for MD5, which is why it
+ * discusses A-D. But it basically applies to all 32-bit digests,
+ * which is why it was moved to common header file.
+ *
+ * In case you wonder why A-D are declared as long and not
+ * as MD5_LONG. Doing so results in slight performance
+ * boost on LP64 architectures. The catch is we don't
+ * really care if 32 MSBs of a 64-bit register get polluted
+ * with eventual overflows as we *save* only 32 LSBs in
+ * *either* case. Now declaring 'em long excuses the compiler
+ * from keeping 32 MSBs zeroed resulting in 13% performance
+ * improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
+ * Well, to be honest it should say that this *prevents*
+ * performance degradation.
+ */
+# else
+/*
+ * Above is not absolute and there are LP64 compilers that
+ * generate better code if MD32_REG_T is defined int. The above
+ * pre-processor condition reflects the circumstances under which
+ * the conclusion was made and is subject to further extension.
+ */
+#  define MD32_REG_T int
+# endif
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/objects.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/objects.h
@ -0,0 +1,12 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/objects.h>
+
+void obj_cleanup_int(void);
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/poly1305.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/poly1305.h
@ -0,0 +1,21 @@
+/*
+ * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stddef.h>
+
+#define POLY1305_BLOCK_SIZE  16
+#define POLY1305_DIGEST_SIZE 16
+#define POLY1305_KEY_SIZE    32
+
+typedef struct poly1305_context POLY1305;
+
+size_t Poly1305_ctx_size(void);
+void Poly1305_Init(POLY1305 *ctx, const unsigned char key[32]);
+void Poly1305_Update(POLY1305 *ctx, const unsigned char *inp, size_t len);
+void Poly1305_Final(POLY1305 *ctx, unsigned char mac[16]);
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/rand.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/rand.h
@ -0,0 +1,144 @@
+/*
+ * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Licensed under the OpenSSL licenses, (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * https://www.openssl.org/source/license.html
+ * or in the file LICENSE in the source distribution.
+ */
+
+#ifndef OSSL_CRYPTO_RAND_H
+# define OSSL_CRYPTO_RAND_H
+
+# include <openssl/rand.h>
+
+# if defined(__APPLE__) && !defined(OPENSSL_NO_APPLE_CRYPTO_RANDOM)
+#  include <Availability.h>
+#  if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200) || \
+     (defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 80000)
+#   define OPENSSL_APPLE_CRYPTO_RANDOM 1
+#   include <CommonCrypto/CommonCryptoError.h>
+#   include <CommonCrypto/CommonRandom.h>
+#  endif
+# endif
+
+/* forward declaration */
+typedef struct rand_pool_st RAND_POOL;
+
+void rand_cleanup_int(void);
+void rand_drbg_cleanup_int(void);
+void drbg_delete_thread_state(void);
+
+/* Hardware-based seeding functions. */
+size_t rand_acquire_entropy_from_tsc(RAND_POOL *pool);
+size_t rand_acquire_entropy_from_cpu(RAND_POOL *pool);
+
+/* DRBG entropy callbacks. */
+size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
+                             unsigned char **pout,
+                             int entropy, size_t min_len, size_t max_len,
+                             int prediction_resistance);
+void rand_drbg_cleanup_entropy(RAND_DRBG *drbg,
+                               unsigned char *out, size_t outlen);
+size_t rand_drbg_get_nonce(RAND_DRBG *drbg,
+                           unsigned char **pout,
+                           int entropy, size_t min_len, size_t max_len);
+void rand_drbg_cleanup_nonce(RAND_DRBG *drbg,
+                             unsigned char *out, size_t outlen);
+
+size_t rand_drbg_get_additional_data(RAND_POOL *pool, unsigned char **pout);
+
+void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
+
+/*
+ * RAND_POOL functions
+ */
+RAND_POOL *rand_pool_new(int entropy_requested, int secure,
+                         size_t min_len, size_t max_len);
+RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len,
+                            size_t entropy);
+void rand_pool_free(RAND_POOL *pool);
+
+const unsigned char *rand_pool_buffer(RAND_POOL *pool);
+unsigned char *rand_pool_detach(RAND_POOL *pool);
+void rand_pool_reattach(RAND_POOL *pool, unsigned char *buffer);
+
+size_t rand_pool_entropy(RAND_POOL *pool);
+size_t rand_pool_length(RAND_POOL *pool);
+
+size_t rand_pool_entropy_available(RAND_POOL *pool);
+size_t rand_pool_entropy_needed(RAND_POOL *pool);
+/* |entropy_factor| expresses how many bits of data contain 1 bit of entropy */
+size_t rand_pool_bytes_needed(RAND_POOL *pool, unsigned int entropy_factor);
+size_t rand_pool_bytes_remaining(RAND_POOL *pool);
+
+int rand_pool_add(RAND_POOL *pool,
+                  const unsigned char *buffer, size_t len, size_t entropy);
+unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len);
+int rand_pool_add_end(RAND_POOL *pool, size_t len, size_t entropy);
+
+
+/*
+ * Add random bytes to the pool to acquire requested amount of entropy
+ *
+ * This function is platform specific and tries to acquire the requested
+ * amount of entropy by polling platform specific entropy sources.
+ *
+ * If the function succeeds in acquiring at least |entropy_requested| bits
+ * of entropy, the total entropy count is returned. If it fails, it returns
+ * an entropy count of 0.
+ */
+size_t rand_pool_acquire_entropy(RAND_POOL *pool);
+
+/*
+ * Add some application specific nonce data
+ *
+ * This function is platform specific and adds some application specific
+ * data to the nonce used for instantiating the drbg.
+ *
+ * This data currently consists of the process and thread id, and a high
+ * resolution timestamp. The data does not include an atomic counter,
+ * because that is added by the calling function rand_drbg_get_nonce().
+ *
+ * Returns 1 on success and 0 on failure.
+ */
+int rand_pool_add_nonce_data(RAND_POOL *pool);
+
+
+/*
+ * Add some platform specific additional data
+ *
+ * This function is platform specific and adds some random noise to the
+ * additional data used for generating random bytes and for reseeding
+ * the drbg.
+ *
+ * Returns 1 on success and 0 on failure.
+ */
+int rand_pool_add_additional_data(RAND_POOL *pool);
+
+/*
+ * Initialise the random pool reseeding sources.
+ *
+ * Returns 1 on success and 0 on failure.
+ */
+int rand_pool_init(void);
+
+/*
+ * Finalise the random pool reseeding sources.
+ */
+void rand_pool_cleanup(void);
+
+/*
+ * Control the random pool use of open file descriptors.
+ */
+void rand_pool_keep_random_devices_open(int keep);
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/sha.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/sha.h
@ -0,0 +1,19 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2018, Oracle and/or its affiliates.  All rights reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_SHA_H
+# define OSSL_CRYPTO_SHA_H
+
+# include <openssl/opensslconf.h>
+
+int sha512_224_init(SHA512_CTX *);
+int sha512_256_init(SHA512_CTX *);
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/siphash.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/siphash.h
@ -0,0 +1,25 @@
+/*
+ * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stddef.h>
+
+#define SIPHASH_BLOCK_SIZE        8
+#define SIPHASH_KEY_SIZE         16
+#define SIPHASH_MIN_DIGEST_SIZE   8
+#define SIPHASH_MAX_DIGEST_SIZE  16
+
+typedef struct siphash_st SIPHASH;
+
+size_t SipHash_ctx_size(void);
+size_t SipHash_hash_size(SIPHASH *ctx);
+int SipHash_set_hash_size(SIPHASH *ctx, size_t hash_size);
+int SipHash_Init(SIPHASH *ctx, const unsigned char *k,
+                 int crounds, int drounds);
+void SipHash_Update(SIPHASH *ctx, const unsigned char *in, size_t inlen);
+int SipHash_Final(SIPHASH *ctx, unsigned char *out, size_t outlen);
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/sm2.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/sm2.h
@ -0,0 +1,77 @@
+/*
+ * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017 Ribose Inc. All Rights Reserved.
+ * Ported from Ribose contributions from Botan.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_SM2_H
+# define OSSL_CRYPTO_SM2_H
+# include <openssl/opensslconf.h>
+
+# ifndef OPENSSL_NO_SM2
+
+#  include <openssl/ec.h>
+
+/* The default user id as specified in GM/T 0009-2012 */
+#  define SM2_DEFAULT_USERID "1234567812345678"
+
+int sm2_compute_z_digest(uint8_t *out,
+                         const EVP_MD *digest,
+                         const uint8_t *id,
+                         const size_t id_len,
+                         const EC_KEY *key);
+
+/*
+ * SM2 signature operation. Computes Z and then signs H(Z || msg) using SM2
+ */
+ECDSA_SIG *sm2_do_sign(const EC_KEY *key,
+                       const EVP_MD *digest,
+                       const uint8_t *id,
+                       const size_t id_len,
+                       const uint8_t *msg, size_t msg_len);
+
+int sm2_do_verify(const EC_KEY *key,
+                  const EVP_MD *digest,
+                  const ECDSA_SIG *signature,
+                  const uint8_t *id,
+                  const size_t id_len,
+                  const uint8_t *msg, size_t msg_len);
+
+/*
+ * SM2 signature generation.
+ */
+int sm2_sign(const unsigned char *dgst, int dgstlen,
+             unsigned char *sig, unsigned int *siglen, EC_KEY *eckey);
+
+/*
+ * SM2 signature verification.
+ */
+int sm2_verify(const unsigned char *dgst, int dgstlen,
+               const unsigned char *sig, int siglen, EC_KEY *eckey);
+
+/*
+ * SM2 encryption
+ */
+int sm2_ciphertext_size(const EC_KEY *key, const EVP_MD *digest, size_t msg_len,
+                        size_t *ct_size);
+
+int sm2_plaintext_size(const unsigned char *ct, size_t ct_size, size_t *pt_size);
+
+int sm2_encrypt(const EC_KEY *key,
+                const EVP_MD *digest,
+                const uint8_t *msg,
+                size_t msg_len,
+                uint8_t *ciphertext_buf, size_t *ciphertext_len);
+
+int sm2_decrypt(const EC_KEY *key,
+                const EVP_MD *digest,
+                const uint8_t *ciphertext,
+                size_t ciphertext_len, uint8_t *ptext_buf, size_t *ptext_len);
+
+# endif /* OPENSSL_NO_SM2 */
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/sm2err.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/sm2err.h
@ -0,0 +1,65 @@
+/*
+ * Generated by util/mkerr.pl DO NOT EDIT
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_SM2ERR_H
+# define OSSL_CRYPTO_SM2ERR_H
+
+# ifndef HEADER_SYMHACKS_H
+#  include <openssl/symhacks.h>
+# endif
+
+# include <openssl/opensslconf.h>
+
+# ifndef OPENSSL_NO_SM2
+
+#  ifdef  __cplusplus
+extern "C"
+#  endif
+int ERR_load_SM2_strings(void);
+
+/*
+ * SM2 function codes.
+ */
+#  define SM2_F_PKEY_SM2_COPY                              115
+#  define SM2_F_PKEY_SM2_CTRL                              109
+#  define SM2_F_PKEY_SM2_CTRL_STR                          110
+#  define SM2_F_PKEY_SM2_DIGEST_CUSTOM                     114
+#  define SM2_F_PKEY_SM2_INIT                              111
+#  define SM2_F_PKEY_SM2_SIGN                              112
+#  define SM2_F_SM2_COMPUTE_MSG_HASH                       100
+#  define SM2_F_SM2_COMPUTE_USERID_DIGEST                  101
+#  define SM2_F_SM2_COMPUTE_Z_DIGEST                       113
+#  define SM2_F_SM2_DECRYPT                                102
+#  define SM2_F_SM2_ENCRYPT                                103
+#  define SM2_F_SM2_PLAINTEXT_SIZE                         104
+#  define SM2_F_SM2_SIGN                                   105
+#  define SM2_F_SM2_SIG_GEN                                106
+#  define SM2_F_SM2_SIG_VERIFY                             107
+#  define SM2_F_SM2_VERIFY                                 108
+
+/*
+ * SM2 reason codes.
+ */
+#  define SM2_R_ASN1_ERROR                                 100
+#  define SM2_R_BAD_SIGNATURE                              101
+#  define SM2_R_BUFFER_TOO_SMALL                           107
+#  define SM2_R_DIST_ID_TOO_LARGE                          110
+#  define SM2_R_ID_NOT_SET                                 112
+#  define SM2_R_ID_TOO_LARGE                               111
+#  define SM2_R_INVALID_CURVE                              108
+#  define SM2_R_INVALID_DIGEST                             102
+#  define SM2_R_INVALID_DIGEST_TYPE                        103
+#  define SM2_R_INVALID_ENCODING                           104
+#  define SM2_R_INVALID_FIELD                              105
+#  define SM2_R_NO_PARAMETERS_SET                          109
+#  define SM2_R_USER_ID_TOO_LARGE                          106
+
+# endif
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/sm3.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/sm3.h
@ -0,0 +1,39 @@
+/*
+ * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017 Ribose Inc. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_SM3_H
+# define OSSL_CRYPTO_SM3_H
+
+# include <openssl/opensslconf.h>
+
+# ifdef OPENSSL_NO_SM3
+#  error SM3 is disabled.
+# endif
+
+# define SM3_DIGEST_LENGTH 32
+# define SM3_WORD unsigned int
+
+# define SM3_CBLOCK      64
+# define SM3_LBLOCK      (SM3_CBLOCK/4)
+
+typedef struct SM3state_st {
+   SM3_WORD A, B, C, D, E, F, G, H;
+   SM3_WORD Nl, Nh;
+   SM3_WORD data[SM3_LBLOCK];
+   unsigned int num;
+} SM3_CTX;
+
+int sm3_init(SM3_CTX *c);
+int sm3_update(SM3_CTX *c, const void *data, size_t len);
+int sm3_final(unsigned char *md, SM3_CTX *c);
+
+void sm3_block_data_order(SM3_CTX *c, const void *p, size_t num);
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/sm4.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/sm4.h
@ -0,0 +1,37 @@
+/*
+ * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017 Ribose Inc. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_SM4_H
+# define OSSL_CRYPTO_SM4_H
+
+# include <openssl/opensslconf.h>
+# include <openssl/e_os2.h>
+
+# ifdef OPENSSL_NO_SM4
+#  error SM4 is disabled.
+# endif
+
+# define SM4_ENCRYPT     1
+# define SM4_DECRYPT     0
+
+# define SM4_BLOCK_SIZE    16
+# define SM4_KEY_SCHEDULE  32
+
+typedef struct SM4_KEY_st {
+    uint32_t rk[SM4_KEY_SCHEDULE];
+} SM4_KEY;
+
+int SM4_set_key(const uint8_t *key, SM4_KEY *ks);
+
+void SM4_encrypt(const uint8_t *in, uint8_t *out, const SM4_KEY *ks);
+
+void SM4_decrypt(const uint8_t *in, uint8_t *out, const SM4_KEY *ks);
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/store.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/store.h
@ -0,0 +1,28 @@
+/*
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_STORE_H
+# define OSSL_CRYPTO_STORE_H
+
+# include <openssl/bio.h>
+# include <openssl/store.h>
+# include <openssl/ui.h>
+
+/*
+ * Two functions to read PEM data off an already opened BIO.  To be used
+ * instead of OSSLSTORE_open() and OSSLSTORE_close().  Everything is done
+ * as usual with OSSLSTORE_load() and OSSLSTORE_eof().
+ */
+OSSL_STORE_CTX *ossl_store_attach_pem_bio(BIO *bp, const UI_METHOD *ui_method,
+                                          void *ui_data);
+int ossl_store_detach_pem_bio(OSSL_STORE_CTX *ctx);
+
+void ossl_store_cleanup_int(void);
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/crypto/x509.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/crypto/x509.h
@ -0,0 +1,291 @@
+/*
+ * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "internal/refcount.h"
+#include <openssl/x509.h>
+#include <openssl/conf.h>
+
+/* Internal X509 structures and functions: not for application use */
+
+/* Note: unless otherwise stated a field pointer is mandatory and should
+ * never be set to NULL: the ASN.1 code and accessors rely on mandatory
+ * fields never being NULL.
+ */
+
+/*
+ * name entry structure, equivalent to AttributeTypeAndValue defined
+ * in RFC5280 et al.
+ */
+struct X509_name_entry_st {
+    ASN1_OBJECT *object;        /* AttributeType */
+    ASN1_STRING *value;         /* AttributeValue */
+    int set;                    /* index of RDNSequence for this entry */
+    int size;                   /* temp variable */
+};
+
+/* Name from RFC 5280. */
+struct X509_name_st {
+    STACK_OF(X509_NAME_ENTRY) *entries; /* DN components */
+    int modified;               /* true if 'bytes' needs to be built */
+    BUF_MEM *bytes;             /* cached encoding: cannot be NULL */
+    /* canonical encoding used for rapid Name comparison */
+    unsigned char *canon_enc;
+    int canon_enclen;
+} /* X509_NAME */ ;
+
+/* Signature info structure */
+
+struct x509_sig_info_st {
+    /* NID of message digest */
+    int mdnid;
+    /* NID of public key algorithm */
+    int pknid;
+    /* Security bits */
+    int secbits;
+    /* Various flags */
+    uint32_t flags;
+};
+
+/* PKCS#10 certificate request */
+
+struct X509_req_info_st {
+    ASN1_ENCODING enc;          /* cached encoding of signed part */
+    ASN1_INTEGER *version;      /* version, defaults to v1(0) so can be NULL */
+    X509_NAME *subject;         /* certificate request DN */
+    X509_PUBKEY *pubkey;        /* public key of request */
+    /*
+     * Zero or more attributes.
+     * NB: although attributes is a mandatory field some broken
+     * encodings omit it so this may be NULL in that case.
+     */
+    STACK_OF(X509_ATTRIBUTE) *attributes;
+};
+
+struct X509_req_st {
+    X509_REQ_INFO req_info;     /* signed certificate request data */
+    X509_ALGOR sig_alg;         /* signature algorithm */
+    ASN1_BIT_STRING *signature; /* signature */
+    CRYPTO_REF_COUNT references;
+    CRYPTO_RWLOCK *lock;
+};
+
+struct X509_crl_info_st {
+    ASN1_INTEGER *version;      /* version: defaults to v1(0) so may be NULL */
+    X509_ALGOR sig_alg;         /* signature algorithm */
+    X509_NAME *issuer;          /* CRL issuer name */
+    ASN1_TIME *lastUpdate;      /* lastUpdate field */
+    ASN1_TIME *nextUpdate;      /* nextUpdate field: optional */
+    STACK_OF(X509_REVOKED) *revoked;        /* revoked entries: optional */
+    STACK_OF(X509_EXTENSION) *extensions;   /* extensions: optional */
+    ASN1_ENCODING enc;                      /* encoding of signed portion of CRL */
+};
+
+struct X509_crl_st {
+    X509_CRL_INFO crl;          /* signed CRL data */
+    X509_ALGOR sig_alg;         /* CRL signature algorithm */
+    ASN1_BIT_STRING signature;  /* CRL signature */
+    CRYPTO_REF_COUNT references;
+    int flags;
+    /*
+     * Cached copies of decoded extension values, since extensions
+     * are optional any of these can be NULL.
+     */
+    AUTHORITY_KEYID *akid;
+    ISSUING_DIST_POINT *idp;
+    /* Convenient breakdown of IDP */
+    int idp_flags;
+    int idp_reasons;
+    /* CRL and base CRL numbers for delta processing */
+    ASN1_INTEGER *crl_number;
+    ASN1_INTEGER *base_crl_number;
+    STACK_OF(GENERAL_NAMES) *issuers;
+    /* hash of CRL */
+    unsigned char sha1_hash[SHA_DIGEST_LENGTH];
+    /* alternative method to handle this CRL */
+    const X509_CRL_METHOD *meth;
+    void *meth_data;
+    CRYPTO_RWLOCK *lock;
+};
+
+struct x509_revoked_st {
+    ASN1_INTEGER serialNumber; /* revoked entry serial number */
+    ASN1_TIME *revocationDate;  /* revocation date */
+    STACK_OF(X509_EXTENSION) *extensions;   /* CRL entry extensions: optional */
+    /* decoded value of CRLissuer extension: set if indirect CRL */
+    STACK_OF(GENERAL_NAME) *issuer;
+    /* revocation reason: set to CRL_REASON_NONE if reason extension absent */
+    int reason;
+    /*
+     * CRL entries are reordered for faster lookup of serial numbers. This
+     * field contains the original load sequence for this entry.
+     */
+    int sequence;
+};
+
+/*
+ * This stuff is certificate "auxiliary info": it contains details which are
+ * useful in certificate stores and databases. When used this is tagged onto
+ * the end of the certificate itself. OpenSSL specific structure not defined
+ * in any RFC.
+ */
+
+struct x509_cert_aux_st {
+    STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */
+    STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */
+    ASN1_UTF8STRING *alias;     /* "friendly name" */
+    ASN1_OCTET_STRING *keyid;   /* key id of private key */
+    STACK_OF(X509_ALGOR) *other; /* other unspecified info */
+};
+
+struct x509_cinf_st {
+    ASN1_INTEGER *version;      /* [ 0 ] default of v1 */
+    ASN1_INTEGER serialNumber;
+    X509_ALGOR signature;
+    X509_NAME *issuer;
+    X509_VAL validity;
+    X509_NAME *subject;
+    X509_PUBKEY *key;
+    ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */
+    ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */
+    STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */
+    ASN1_ENCODING enc;
+};
+
+struct x509_st {
+    X509_CINF cert_info;
+    X509_ALGOR sig_alg;
+    ASN1_BIT_STRING signature;
+    X509_SIG_INFO siginf;
+    CRYPTO_REF_COUNT references;
+    CRYPTO_EX_DATA ex_data;
+    /* These contain copies of various extension values */
+    long ex_pathlen;
+    long ex_pcpathlen;
+    uint32_t ex_flags;
+    uint32_t ex_kusage;
+    uint32_t ex_xkusage;
+    uint32_t ex_nscert;
+    ASN1_OCTET_STRING *skid;
+    AUTHORITY_KEYID *akid;
+    X509_POLICY_CACHE *policy_cache;
+    STACK_OF(DIST_POINT) *crldp;
+    STACK_OF(GENERAL_NAME) *altname;
+    NAME_CONSTRAINTS *nc;
+#ifndef OPENSSL_NO_RFC3779
+    STACK_OF(IPAddressFamily) *rfc3779_addr;
+    struct ASIdentifiers_st *rfc3779_asid;
+# endif
+    unsigned char sha1_hash[SHA_DIGEST_LENGTH];
+    X509_CERT_AUX *aux;
+    CRYPTO_RWLOCK *lock;
+    volatile int ex_cached;
+} /* X509 */ ;
+
+/*
+ * This is a used when verifying cert chains.  Since the gathering of the
+ * cert chain can take some time (and have to be 'retried', this needs to be
+ * kept and passed around.
+ */
+struct x509_store_ctx_st {      /* X509_STORE_CTX */
+    X509_STORE *ctx;
+    /* The following are set by the caller */
+    /* The cert to check */
+    X509 *cert;
+    /* chain of X509s - untrusted - passed in */
+    STACK_OF(X509) *untrusted;
+    /* set of CRLs passed in */
+    STACK_OF(X509_CRL) *crls;
+    X509_VERIFY_PARAM *param;
+    /* Other info for use with get_issuer() */
+    void *other_ctx;
+    /* Callbacks for various operations */
+    /* called to verify a certificate */
+    int (*verify) (X509_STORE_CTX *ctx);
+    /* error callback */
+    int (*verify_cb) (int ok, X509_STORE_CTX *ctx);
+    /* get issuers cert from ctx */
+    int (*get_issuer) (X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
+    /* check issued */
+    int (*check_issued) (X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
+    /* Check revocation status of chain */
+    int (*check_revocation) (X509_STORE_CTX *ctx);
+    /* retrieve CRL */
+    int (*get_crl) (X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x);
+    /* Check CRL validity */
+    int (*check_crl) (X509_STORE_CTX *ctx, X509_CRL *crl);
+    /* Check certificate against CRL */
+    int (*cert_crl) (X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
+    /* Check policy status of the chain */
+    int (*check_policy) (X509_STORE_CTX *ctx);
+    STACK_OF(X509) *(*lookup_certs) (X509_STORE_CTX *ctx, X509_NAME *nm);
+    STACK_OF(X509_CRL) *(*lookup_crls) (X509_STORE_CTX *ctx, X509_NAME *nm);
+    int (*cleanup) (X509_STORE_CTX *ctx);
+    /* The following is built up */
+    /* if 0, rebuild chain */
+    int valid;
+    /* number of untrusted certs */
+    int num_untrusted;
+    /* chain of X509s - built up and trusted */
+    STACK_OF(X509) *chain;
+    /* Valid policy tree */
+    X509_POLICY_TREE *tree;
+    /* Require explicit policy value */
+    int explicit_policy;
+    /* When something goes wrong, this is why */
+    int error_depth;
+    int error;
+    X509 *current_cert;
+    /* cert currently being tested as valid issuer */
+    X509 *current_issuer;
+    /* current CRL */
+    X509_CRL *current_crl;
+    /* score of current CRL */
+    int current_crl_score;
+    /* Reason mask */
+    unsigned int current_reasons;
+    /* For CRL path validation: parent context */
+    X509_STORE_CTX *parent;
+    CRYPTO_EX_DATA ex_data;
+    SSL_DANE *dane;
+    /* signed via bare TA public key, rather than CA certificate */
+    int bare_ta_signed;
+};
+
+/* PKCS#8 private key info structure */
+
+struct pkcs8_priv_key_info_st {
+    ASN1_INTEGER *version;
+    X509_ALGOR *pkeyalg;
+    ASN1_OCTET_STRING *pkey;
+    STACK_OF(X509_ATTRIBUTE) *attributes;
+};
+
+struct X509_sig_st {
+    X509_ALGOR *algor;
+    ASN1_OCTET_STRING *digest;
+};
+
+struct x509_object_st {
+    /* one of the above types */
+    X509_LOOKUP_TYPE type;
+    union {
+        char *ptr;
+        X509 *x509;
+        X509_CRL *crl;
+        EVP_PKEY *pkey;
+    } data;
+};
+
+int a2i_ipadd(unsigned char *ipout, const char *ipasc);
+int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm);
+
+void x509_init_sig_info(X509 *x);
+
+int x509v3_add_len_value_uchar(const char *name, const unsigned char *value,
+                               size_t vallen, STACK_OF(CONF_VALUE) **extlist);
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/__DECC_INCLUDE_EPILOGUE.H
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/__DECC_INCLUDE_EPILOGUE.H
@ -0,0 +1,16 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * This file is only used by HP C on VMS, and is included automatically
+ * after each header file from this directory
+ */
+
+/* restore state.  Must correspond to the save in __decc_include_prologue.h */
+#pragma names restore
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/__DECC_INCLUDE_PROLOGUE.H
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/__DECC_INCLUDE_PROLOGUE.H
@ -0,0 +1,20 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * This file is only used by HP C on VMS, and is included automatically
+ * after each header file from this directory
+ */
+
+/* save state */
+#pragma names save
+/* have the compiler shorten symbols larger than 31 chars to 23 chars
+ * followed by a 8 hex char CRC
+ */
+#pragma names as_is,shortened
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/bio.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/bio.h
@ -0,0 +1,33 @@
+/*
+ * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/bio.h>
+
+struct bio_method_st {
+    int type;
+    char *name;
+    int (*bwrite) (BIO *, const char *, size_t, size_t *);
+    int (*bwrite_old) (BIO *, const char *, int);
+    int (*bread) (BIO *, char *, size_t, size_t *);
+    int (*bread_old) (BIO *, char *, int);
+    int (*bputs) (BIO *, const char *);
+    int (*bgets) (BIO *, char *, int);
+    long (*ctrl) (BIO *, int, long, void *);
+    int (*create) (BIO *);
+    int (*destroy) (BIO *);
+    long (*callback_ctrl) (BIO *, int, BIO_info_cb *);
+};
+
+void bio_free_ex_data(BIO *bio);
+void bio_cleanup(void);
+
+
+/* Old style to new style BIO_METHOD conversion functions */
+int bwrite_conv(BIO *bio, const char *data, size_t datal, size_t *written);
+int bread_conv(BIO *bio, char *data, size_t datal, size_t *read);
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/comp.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/comp.h
@ -0,0 +1,12 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/comp.h>
+
+void comp_zlib_cleanup_int(void);
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/conf.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/conf.h
@ -0,0 +1,30 @@
+/*
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_INTERNAL_CONF_H
+# define OSSL_INTERNAL_CONF_H
+
+#include <openssl/conf.h>
+
+#define DEFAULT_CONF_MFLAGS \
+    (CONF_MFLAGS_DEFAULT_SECTION | \
+     CONF_MFLAGS_IGNORE_MISSING_FILE | \
+     CONF_MFLAGS_IGNORE_RETURN_CODES)
+
+struct ossl_init_settings_st {
+    char *filename;
+    char *appname;
+    unsigned long flags;
+};
+
+int openssl_config_int(const OPENSSL_INIT_SETTINGS *);
+void openssl_no_config_int(void);
+void conf_modules_free_int(void);
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/constant_time.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/constant_time.h
@ -0,0 +1,387 @@
+/*
+ * Copyright 2014-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_INTERNAL_CONSTANT_TIME_H
+# define OSSL_INTERNAL_CONSTANT_TIME_H
+
+# include <stdlib.h>
+# include <string.h>
+# include <openssl/e_os2.h>              /* For 'ossl_inline' */
+
+/*-
+ * The boolean methods return a bitmask of all ones (0xff...f) for true
+ * and 0 for false. This is useful for choosing a value based on the result
+ * of a conditional in constant time. For example,
+ *      if (a < b) {
+ *        c = a;
+ *      } else {
+ *        c = b;
+ *      }
+ * can be written as
+ *      unsigned int lt = constant_time_lt(a, b);
+ *      c = constant_time_select(lt, a, b);
+ */
+
+/* Returns the given value with the MSB copied to all the other bits. */
+static ossl_inline unsigned int constant_time_msb(unsigned int a);
+/* Convenience method for uint32_t. */
+static ossl_inline uint32_t constant_time_msb_32(uint32_t a);
+/* Convenience method for uint64_t. */
+static ossl_inline uint64_t constant_time_msb_64(uint64_t a);
+
+/* Returns 0xff..f if a < b and 0 otherwise. */
+static ossl_inline unsigned int constant_time_lt(unsigned int a,
+                                                 unsigned int b);
+/* Convenience method for getting an 8-bit mask. */
+static ossl_inline unsigned char constant_time_lt_8(unsigned int a,
+                                                    unsigned int b);
+/* Convenience method for uint64_t. */
+static ossl_inline uint64_t constant_time_lt_64(uint64_t a, uint64_t b);
+
+/* Returns 0xff..f if a >= b and 0 otherwise. */
+static ossl_inline unsigned int constant_time_ge(unsigned int a,
+                                                 unsigned int b);
+/* Convenience method for getting an 8-bit mask. */
+static ossl_inline unsigned char constant_time_ge_8(unsigned int a,
+                                                    unsigned int b);
+
+/* Returns 0xff..f if a == 0 and 0 otherwise. */
+static ossl_inline unsigned int constant_time_is_zero(unsigned int a);
+/* Convenience method for getting an 8-bit mask. */
+static ossl_inline unsigned char constant_time_is_zero_8(unsigned int a);
+/* Convenience method for getting a 32-bit mask. */
+static ossl_inline uint32_t constant_time_is_zero_32(uint32_t a);
+
+/* Returns 0xff..f if a == b and 0 otherwise. */
+static ossl_inline unsigned int constant_time_eq(unsigned int a,
+                                                 unsigned int b);
+/* Convenience method for getting an 8-bit mask. */
+static ossl_inline unsigned char constant_time_eq_8(unsigned int a,
+                                                    unsigned int b);
+/* Signed integers. */
+static ossl_inline unsigned int constant_time_eq_int(int a, int b);
+/* Convenience method for getting an 8-bit mask. */
+static ossl_inline unsigned char constant_time_eq_int_8(int a, int b);
+
+/*-
+ * Returns (mask & a) | (~mask & b).
+ *
+ * When |mask| is all 1s or all 0s (as returned by the methods above),
+ * the select methods return either |a| (if |mask| is nonzero) or |b|
+ * (if |mask| is zero).
+ */
+static ossl_inline unsigned int constant_time_select(unsigned int mask,
+                                                     unsigned int a,
+                                                     unsigned int b);
+/* Convenience method for unsigned chars. */
+static ossl_inline unsigned char constant_time_select_8(unsigned char mask,
+                                                        unsigned char a,
+                                                        unsigned char b);
+
+/* Convenience method for uint32_t. */
+static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a,
+                                                    uint32_t b);
+
+/* Convenience method for uint64_t. */
+static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a,
+                                                    uint64_t b);
+/* Convenience method for signed integers. */
+static ossl_inline int constant_time_select_int(unsigned int mask, int a,
+                                                int b);
+
+
+static ossl_inline unsigned int constant_time_msb(unsigned int a)
+{
+    return 0 - (a >> (sizeof(a) * 8 - 1));
+}
+
+
+static ossl_inline uint32_t constant_time_msb_32(uint32_t a)
+{
+    return 0 - (a >> 31);
+}
+
+static ossl_inline uint64_t constant_time_msb_64(uint64_t a)
+{
+    return 0 - (a >> 63);
+}
+
+static ossl_inline size_t constant_time_msb_s(size_t a)
+{
+    return 0 - (a >> (sizeof(a) * 8 - 1));
+}
+
+static ossl_inline unsigned int constant_time_lt(unsigned int a,
+                                                 unsigned int b)
+{
+    return constant_time_msb(a ^ ((a ^ b) | ((a - b) ^ b)));
+}
+
+static ossl_inline size_t constant_time_lt_s(size_t a, size_t b)
+{
+    return constant_time_msb_s(a ^ ((a ^ b) | ((a - b) ^ b)));
+}
+
+static ossl_inline unsigned char constant_time_lt_8(unsigned int a,
+                                                    unsigned int b)
+{
+    return (unsigned char)constant_time_lt(a, b);
+}
+
+static ossl_inline uint64_t constant_time_lt_64(uint64_t a, uint64_t b)
+{
+    return constant_time_msb_64(a ^ ((a ^ b) | ((a - b) ^ b)));
+}
+
+static ossl_inline unsigned int constant_time_ge(unsigned int a,
+                                                 unsigned int b)
+{
+    return ~constant_time_lt(a, b);
+}
+
+static ossl_inline size_t constant_time_ge_s(size_t a, size_t b)
+{
+    return ~constant_time_lt_s(a, b);
+}
+
+static ossl_inline unsigned char constant_time_ge_8(unsigned int a,
+                                                    unsigned int b)
+{
+    return (unsigned char)constant_time_ge(a, b);
+}
+
+static ossl_inline unsigned char constant_time_ge_8_s(size_t a, size_t b)
+{
+    return (unsigned char)constant_time_ge_s(a, b);
+}
+
+static ossl_inline unsigned int constant_time_is_zero(unsigned int a)
+{
+    return constant_time_msb(~a & (a - 1));
+}
+
+static ossl_inline size_t constant_time_is_zero_s(size_t a)
+{
+    return constant_time_msb_s(~a & (a - 1));
+}
+
+static ossl_inline unsigned char constant_time_is_zero_8(unsigned int a)
+{
+    return (unsigned char)constant_time_is_zero(a);
+}
+
+static ossl_inline uint32_t constant_time_is_zero_32(uint32_t a)
+{
+    return constant_time_msb_32(~a & (a - 1));
+}
+
+static ossl_inline unsigned int constant_time_eq(unsigned int a,
+                                                 unsigned int b)
+{
+    return constant_time_is_zero(a ^ b);
+}
+
+static ossl_inline size_t constant_time_eq_s(size_t a, size_t b)
+{
+    return constant_time_is_zero_s(a ^ b);
+}
+
+static ossl_inline unsigned char constant_time_eq_8(unsigned int a,
+                                                    unsigned int b)
+{
+    return (unsigned char)constant_time_eq(a, b);
+}
+
+static ossl_inline unsigned char constant_time_eq_8_s(size_t a, size_t b)
+{
+    return (unsigned char)constant_time_eq_s(a, b);
+}
+
+static ossl_inline unsigned int constant_time_eq_int(int a, int b)
+{
+    return constant_time_eq((unsigned)(a), (unsigned)(b));
+}
+
+static ossl_inline unsigned char constant_time_eq_int_8(int a, int b)
+{
+    return constant_time_eq_8((unsigned)(a), (unsigned)(b));
+}
+
+/*
+ * Returns the value unmodified, but avoids optimizations.
+ * The barriers prevent the compiler from narrowing down the
+ * possible value range of the mask and ~mask in the select
+ * statements, which avoids the recognition of the select
+ * and turning it into a conditional load or branch.
+ */
+static ossl_inline unsigned int value_barrier(unsigned int a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+    unsigned int r;
+    __asm__("" : "=r"(r) : "0"(a));
+#else
+    volatile unsigned int r = a;
+#endif
+    return r;
+}
+
+/* Convenience method for uint32_t. */
+static ossl_inline uint32_t value_barrier_32(uint32_t a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+    uint32_t r;
+    __asm__("" : "=r"(r) : "0"(a));
+#else
+    volatile uint32_t r = a;
+#endif
+    return r;
+}
+
+/* Convenience method for uint64_t. */
+static ossl_inline uint64_t value_barrier_64(uint64_t a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+    uint64_t r;
+    __asm__("" : "=r"(r) : "0"(a));
+#else
+    volatile uint64_t r = a;
+#endif
+    return r;
+}
+
+/* Convenience method for size_t. */
+static ossl_inline size_t value_barrier_s(size_t a)
+{
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
+    size_t r;
+    __asm__("" : "=r"(r) : "0"(a));
+#else
+    volatile size_t r = a;
+#endif
+    return r;
+}
+
+static ossl_inline unsigned int constant_time_select(unsigned int mask,
+                                                     unsigned int a,
+                                                     unsigned int b)
+{
+    return (value_barrier(mask) & a) | (value_barrier(~mask) & b);
+}
+
+static ossl_inline size_t constant_time_select_s(size_t mask,
+                                                 size_t a,
+                                                 size_t b)
+{
+    return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b);
+}
+
+static ossl_inline unsigned char constant_time_select_8(unsigned char mask,
+                                                        unsigned char a,
+                                                        unsigned char b)
+{
+    return (unsigned char)constant_time_select(mask, a, b);
+}
+
+static ossl_inline int constant_time_select_int(unsigned int mask, int a,
+                                                int b)
+{
+    return (int)constant_time_select(mask, (unsigned)(a), (unsigned)(b));
+}
+
+static ossl_inline int constant_time_select_int_s(size_t mask, int a, int b)
+{
+    return (int)constant_time_select((unsigned)mask, (unsigned)(a),
+                                      (unsigned)(b));
+}
+
+static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a,
+                                                    uint32_t b)
+{
+    return (value_barrier_32(mask) & a) | (value_barrier_32(~mask) & b);
+}
+
+static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a,
+                                                    uint64_t b)
+{
+    return (value_barrier_64(mask) & a) | (value_barrier_64(~mask) & b);
+}
+
+/*
+ * mask must be 0xFFFFFFFF or 0x00000000.
+ *
+ * if (mask) {
+ *     uint32_t tmp = *a;
+ *
+ *     *a = *b;
+ *     *b = tmp;
+ * }
+ */
+static ossl_inline void constant_time_cond_swap_32(uint32_t mask, uint32_t *a,
+                                                   uint32_t *b)
+{
+    uint32_t xor = *a ^ *b;
+
+    xor &= mask;
+    *a ^= xor;
+    *b ^= xor;
+}
+
+/*
+ * mask must be 0xFFFFFFFF or 0x00000000.
+ *
+ * if (mask) {
+ *     uint64_t tmp = *a;
+ *
+ *     *a = *b;
+ *     *b = tmp;
+ * }
+ */
+static ossl_inline void constant_time_cond_swap_64(uint64_t mask, uint64_t *a,
+                                                   uint64_t *b)
+{
+    uint64_t xor = *a ^ *b;
+
+    xor &= mask;
+    *a ^= xor;
+    *b ^= xor;
+}
+
+/*
+ * table is a two dimensional array of bytes. Each row has rowsize elements.
+ * Copies row number idx into out. rowsize and numrows are not considered
+ * private.
+ */
+static ossl_inline void constant_time_lookup(void *out,
+                                             const void *table,
+                                             size_t rowsize,
+                                             size_t numrows,
+                                             size_t idx)
+{
+    size_t i, j;
+    const unsigned char *tablec = (const unsigned char *)table;
+    unsigned char *outc = (unsigned char *)out;
+    unsigned char mask;
+
+    memset(out, 0, rowsize);
+
+    /* Note idx may underflow - but that is well defined */
+    for (i = 0; i < numrows; i++, idx--) {
+        mask = (unsigned char)constant_time_is_zero_s(idx);
+        for (j = 0; j < rowsize; j++)
+            *(outc + j) |= constant_time_select_8(mask, *(tablec++), 0);
+    }
+}
+
+/*
+ * Expected usage pattern is to unconditionally set error and then
+ * wipe it if there was no actual error. |clear| is 1 or 0.
+ */
+void err_clear_last_constant_time(int clear);
+
+#endif                          /* OSSL_INTERNAL_CONSTANT_TIME_H */
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/cryptlib.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/cryptlib.h
@ -0,0 +1,99 @@
+/*
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_INTERNAL_CRYPTLIB_H
+# define OSSL_INTERNAL_CRYPTLIB_H
+
+# include <stdlib.h>
+# include <string.h>
+
+# ifdef OPENSSL_USE_APPLINK
+#  undef BIO_FLAGS_UPLINK
+#  define BIO_FLAGS_UPLINK 0x8000
+#  include "ms/uplink.h"
+# endif
+
+# include <openssl/crypto.h>
+# include <openssl/buffer.h>
+# include <openssl/bio.h>
+# include <openssl/err.h>
+# include "internal/nelem.h"
+
+#ifdef NDEBUG
+# define ossl_assert(x) ((x) != 0)
+#else
+__owur static ossl_inline int ossl_assert_int(int expr, const char *exprstr,
+                                              const char *file, int line)
+{
+    if (!expr)
+        OPENSSL_die(exprstr, file, line);
+
+    return expr;
+}
+
+# define ossl_assert(x) ossl_assert_int((x) != 0, "Assertion failed: "#x, \
+                                         __FILE__, __LINE__)
+
+#endif
+
+typedef struct ex_callback_st EX_CALLBACK;
+
+DEFINE_STACK_OF(EX_CALLBACK)
+
+typedef struct app_mem_info_st APP_INFO;
+
+typedef struct mem_st MEM;
+DEFINE_LHASH_OF(MEM);
+
+# define OPENSSL_CONF             "openssl.cnf"
+
+# ifndef OPENSSL_SYS_VMS
+#  define X509_CERT_AREA          OPENSSLDIR
+#  define X509_CERT_DIR           OPENSSLDIR "/certs"
+#  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
+#  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
+#  define CTLOG_FILE              OPENSSLDIR "/ct_log_list.cnf"
+# else
+#  define X509_CERT_AREA          "OSSL$DATAROOT:[000000]"
+#  define X509_CERT_DIR           "OSSL$DATAROOT:[CERTS]"
+#  define X509_CERT_FILE          "OSSL$DATAROOT:[000000]cert.pem"
+#  define X509_PRIVATE_DIR        "OSSL$DATAROOT:[PRIVATE]"
+#  define CTLOG_FILE              "OSSL$DATAROOT:[000000]ct_log_list.cnf"
+# endif
+
+# define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
+# define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
+# define CTLOG_FILE_EVP           "CTLOG_FILE"
+
+/* size of string representations */
+# define DECIMAL_SIZE(type)      ((sizeof(type)*8+2)/3+1)
+# define HEX_SIZE(type)          (sizeof(type)*2)
+
+void OPENSSL_cpuid_setup(void);
+extern unsigned int OPENSSL_ia32cap_P[];
+void OPENSSL_showfatal(const char *fmta, ...);
+void crypto_cleanup_all_ex_data_int(void);
+int openssl_init_fork_handlers(void);
+int openssl_get_fork_id(void);
+
+char *ossl_safe_getenv(const char *name);
+
+extern CRYPTO_RWLOCK *memdbg_lock;
+int openssl_strerror_r(int errnum, char *buf, size_t buflen);
+# if !defined(OPENSSL_NO_STDIO)
+FILE *openssl_fopen(const char *filename, const char *mode);
+# else
+void *openssl_fopen(const char *filename, const char *mode);
+# endif
+
+uint32_t OPENSSL_rdtsc(void);
+size_t OPENSSL_instrument_bus(unsigned int *, size_t);
+size_t OPENSSL_instrument_bus2(unsigned int *, size_t, size_t);
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/dane.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/dane.h
@ -0,0 +1,103 @@
+/*
+ * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_INTERNAL_DANE_H
+#define OSSL_INTERNAL_DANE_H
+
+#include <openssl/safestack.h>
+
+/*-
+ * Certificate usages:
+ * https://tools.ietf.org/html/rfc6698#section-2.1.1
+ */
+#define DANETLS_USAGE_PKIX_TA   0
+#define DANETLS_USAGE_PKIX_EE   1
+#define DANETLS_USAGE_DANE_TA   2
+#define DANETLS_USAGE_DANE_EE   3
+#define DANETLS_USAGE_LAST      DANETLS_USAGE_DANE_EE
+
+/*-
+ * Selectors:
+ * https://tools.ietf.org/html/rfc6698#section-2.1.2
+ */
+#define DANETLS_SELECTOR_CERT   0
+#define DANETLS_SELECTOR_SPKI   1
+#define DANETLS_SELECTOR_LAST   DANETLS_SELECTOR_SPKI
+
+/*-
+ * Matching types:
+ * https://tools.ietf.org/html/rfc6698#section-2.1.3
+ */
+#define DANETLS_MATCHING_FULL   0
+#define DANETLS_MATCHING_2256   1
+#define DANETLS_MATCHING_2512   2
+#define DANETLS_MATCHING_LAST   DANETLS_MATCHING_2512
+
+typedef struct danetls_record_st {
+    uint8_t usage;
+    uint8_t selector;
+    uint8_t mtype;
+    unsigned char *data;
+    size_t dlen;
+    EVP_PKEY *spki;
+} danetls_record;
+
+DEFINE_STACK_OF(danetls_record)
+
+/*
+ * Shared DANE context
+ */
+struct dane_ctx_st {
+    const EVP_MD  **mdevp;      /* mtype -> digest */
+    uint8_t        *mdord;      /* mtype -> preference */
+    uint8_t         mdmax;      /* highest supported mtype */
+    unsigned long   flags;      /* feature bitmask */
+};
+
+/*
+ * Per connection DANE state
+ */
+struct ssl_dane_st {
+    struct dane_ctx_st *dctx;
+    STACK_OF(danetls_record) *trecs;
+    STACK_OF(X509) *certs;      /* DANE-TA(2) Cert(0) Full(0) certs */
+    danetls_record *mtlsa;      /* Matching TLSA record */
+    X509           *mcert;      /* DANE matched cert */
+    uint32_t        umask;      /* Usages present */
+    int             mdpth;      /* Depth of matched cert */
+    int             pdpth;      /* Depth of PKIX trust */
+    unsigned long   flags;      /* feature bitmask */
+};
+
+#define DANETLS_ENABLED(dane)  \
+    ((dane) != NULL && sk_danetls_record_num((dane)->trecs) > 0)
+
+#define DANETLS_USAGE_BIT(u)   (((uint32_t)1) << u)
+
+#define DANETLS_PKIX_TA_MASK (DANETLS_USAGE_BIT(DANETLS_USAGE_PKIX_TA))
+#define DANETLS_PKIX_EE_MASK (DANETLS_USAGE_BIT(DANETLS_USAGE_PKIX_EE))
+#define DANETLS_DANE_TA_MASK (DANETLS_USAGE_BIT(DANETLS_USAGE_DANE_TA))
+#define DANETLS_DANE_EE_MASK (DANETLS_USAGE_BIT(DANETLS_USAGE_DANE_EE))
+
+#define DANETLS_PKIX_MASK (DANETLS_PKIX_TA_MASK | DANETLS_PKIX_EE_MASK)
+#define DANETLS_DANE_MASK (DANETLS_DANE_TA_MASK | DANETLS_DANE_EE_MASK)
+#define DANETLS_TA_MASK (DANETLS_PKIX_TA_MASK | DANETLS_DANE_TA_MASK)
+#define DANETLS_EE_MASK (DANETLS_PKIX_EE_MASK | DANETLS_DANE_EE_MASK)
+
+#define DANETLS_HAS_PKIX(dane) ((dane) && ((dane)->umask & DANETLS_PKIX_MASK))
+#define DANETLS_HAS_DANE(dane) ((dane) && ((dane)->umask & DANETLS_DANE_MASK))
+#define DANETLS_HAS_TA(dane)   ((dane) && ((dane)->umask & DANETLS_TA_MASK))
+#define DANETLS_HAS_EE(dane)   ((dane) && ((dane)->umask & DANETLS_EE_MASK))
+
+#define DANETLS_HAS_PKIX_TA(dane) ((dane)&&((dane)->umask & DANETLS_PKIX_TA_MASK))
+#define DANETLS_HAS_PKIX_EE(dane) ((dane)&&((dane)->umask & DANETLS_PKIX_EE_MASK))
+#define DANETLS_HAS_DANE_TA(dane) ((dane)&&((dane)->umask & DANETLS_DANE_TA_MASK))
+#define DANETLS_HAS_DANE_EE(dane) ((dane)&&((dane)->umask & DANETLS_DANE_EE_MASK))
+
+#endif /* OSSL_INTERNAL_DANE_H */
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/dso.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/dso.h
@ -0,0 +1,165 @@
+/*
+ * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_INTERNAL_DSO_H
+# define OSSL_INTERNAL_DSO_H
+
+# include <openssl/crypto.h>
+# include "internal/dsoerr.h"
+
+/* These values are used as commands to DSO_ctrl() */
+# define DSO_CTRL_GET_FLAGS      1
+# define DSO_CTRL_SET_FLAGS      2
+# define DSO_CTRL_OR_FLAGS       3
+
+/*
+ * By default, DSO_load() will translate the provided filename into a form
+ * typical for the platform using the dso_name_converter function of the
+ * method. Eg. win32 will transform "blah" into "blah.dll", and dlfcn will
+ * transform it into "libblah.so". This callback could even utilise the
+ * DSO_METHOD's converter too if it only wants to override behaviour for
+ * one or two possible DSO methods. However, the following flag can be
+ * set in a DSO to prevent *any* native name-translation at all - eg. if
+ * the caller has prompted the user for a path to a driver library so the
+ * filename should be interpreted as-is.
+ */
+# define DSO_FLAG_NO_NAME_TRANSLATION            0x01
+/*
+ * An extra flag to give if only the extension should be added as
+ * translation.  This is obviously only of importance on Unix and other
+ * operating systems where the translation also may prefix the name with
+ * something, like 'lib', and ignored everywhere else. This flag is also
+ * ignored if DSO_FLAG_NO_NAME_TRANSLATION is used at the same time.
+ */
+# define DSO_FLAG_NAME_TRANSLATION_EXT_ONLY      0x02
+
+/*
+ * Don't unload the DSO when we call DSO_free()
+ */
+# define DSO_FLAG_NO_UNLOAD_ON_FREE              0x04
+
+/*
+ * This flag loads the library with public symbols. Meaning: The exported
+ * symbols of this library are public to all libraries loaded after this
+ * library. At the moment only implemented in unix.
+ */
+# define DSO_FLAG_GLOBAL_SYMBOLS                 0x20
+
+typedef void (*DSO_FUNC_TYPE) (void);
+
+typedef struct dso_st DSO;
+typedef struct dso_meth_st DSO_METHOD;
+
+/*
+ * The function prototype used for method functions (or caller-provided
+ * callbacks) that transform filenames. They are passed a DSO structure
+ * pointer (or NULL if they are to be used independently of a DSO object) and
+ * a filename to transform. They should either return NULL (if there is an
+ * error condition) or a newly allocated string containing the transformed
+ * form that the caller will need to free with OPENSSL_free() when done.
+ */
+typedef char *(*DSO_NAME_CONVERTER_FUNC)(DSO *, const char *);
+/*
+ * The function prototype used for method functions (or caller-provided
+ * callbacks) that merge two file specifications. They are passed a DSO
+ * structure pointer (or NULL if they are to be used independently of a DSO
+ * object) and two file specifications to merge. They should either return
+ * NULL (if there is an error condition) or a newly allocated string
+ * containing the result of merging that the caller will need to free with
+ * OPENSSL_free() when done. Here, merging means that bits and pieces are
+ * taken from each of the file specifications and added together in whatever
+ * fashion that is sensible for the DSO method in question.  The only rule
+ * that really applies is that if the two specification contain pieces of the
+ * same type, the copy from the first string takes priority.  One could see
+ * it as the first specification is the one given by the user and the second
+ * being a bunch of defaults to add on if they're missing in the first.
+ */
+typedef char *(*DSO_MERGER_FUNC)(DSO *, const char *, const char *);
+
+DSO *DSO_new(void);
+int DSO_free(DSO *dso);
+int DSO_flags(DSO *dso);
+int DSO_up_ref(DSO *dso);
+long DSO_ctrl(DSO *dso, int cmd, long larg, void *parg);
+
+/*
+ * These functions can be used to get/set the platform-independent filename
+ * used for a DSO. NB: set will fail if the DSO is already loaded.
+ */
+const char *DSO_get_filename(DSO *dso);
+int DSO_set_filename(DSO *dso, const char *filename);
+/*
+ * This function will invoke the DSO's name_converter callback to translate a
+ * filename, or if the callback isn't set it will instead use the DSO_METHOD's
+ * converter. If "filename" is NULL, the "filename" in the DSO itself will be
+ * used. If the DSO_FLAG_NO_NAME_TRANSLATION flag is set, then the filename is
+ * simply duplicated. NB: This function is usually called from within a
+ * DSO_METHOD during the processing of a DSO_load() call, and is exposed so
+ * that caller-created DSO_METHODs can do the same thing. A non-NULL return
+ * value will need to be OPENSSL_free()'d.
+ */
+char *DSO_convert_filename(DSO *dso, const char *filename);
+/*
+ * This function will invoke the DSO's merger callback to merge two file
+ * specifications, or if the callback isn't set it will instead use the
+ * DSO_METHOD's merger.  A non-NULL return value will need to be
+ * OPENSSL_free()'d.
+ */
+char *DSO_merge(DSO *dso, const char *filespec1, const char *filespec2);
+
+/*
+ * The all-singing all-dancing load function, you normally pass NULL for the
+ * first and third parameters. Use DSO_up_ref and DSO_free for subsequent
+ * reference count handling. Any flags passed in will be set in the
+ * constructed DSO after its init() function but before the load operation.
+ * If 'dso' is non-NULL, 'flags' is ignored.
+ */
+DSO *DSO_load(DSO *dso, const char *filename, DSO_METHOD *meth, int flags);
+
+/* This function binds to a function inside a shared library. */
+DSO_FUNC_TYPE DSO_bind_func(DSO *dso, const char *symname);
+
+/*
+ * This method is the default, but will beg, borrow, or steal whatever method
+ * should be the default on any particular platform (including
+ * DSO_METH_null() if necessary).
+ */
+DSO_METHOD *DSO_METHOD_openssl(void);
+
+/*
+ * This function writes null-terminated pathname of DSO module containing
+ * 'addr' into 'sz' large caller-provided 'path' and returns the number of
+ * characters [including trailing zero] written to it. If 'sz' is 0 or
+ * negative, 'path' is ignored and required amount of characters [including
+ * trailing zero] to accommodate pathname is returned. If 'addr' is NULL, then
+ * pathname of cryptolib itself is returned. Negative or zero return value
+ * denotes error.
+ */
+int DSO_pathbyaddr(void *addr, char *path, int sz);
+
+/*
+ * Like DSO_pathbyaddr() but instead returns a handle to the DSO for the symbol
+ * or NULL on error.
+ */
+DSO *DSO_dsobyaddr(void *addr, int flags);
+
+/*
+ * This function should be used with caution! It looks up symbols in *all*
+ * loaded modules and if module gets unloaded by somebody else attempt to
+ * dereference the pointer is doomed to have fatal consequences. Primary
+ * usage for this function is to probe *core* system functionality, e.g.
+ * check if getnameinfo(3) is available at run-time without bothering about
+ * OS-specific details such as libc.so.versioning or where does it actually
+ * reside: in libc itself or libsocket.
+ */
+void *DSO_global_lookup(const char *name);
+
+int ERR_load_DSO_strings(void);
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/dsoerr.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/dsoerr.h
@ -0,0 +1,82 @@
+/*
+ * Generated by util/mkerr.pl DO NOT EDIT
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_INTERNAL_DSOERR_H
+# define OSSL_INTERNAL_DSOERR_H
+
+# ifndef HEADER_SYMHACKS_H
+#  include <openssl/symhacks.h>
+# endif
+
+# ifdef  __cplusplus
+extern "C"
+# endif
+int ERR_load_DSO_strings(void);
+
+/*
+ * DSO function codes.
+ */
+#  define DSO_F_DLFCN_BIND_FUNC                            100
+#  define DSO_F_DLFCN_LOAD                                 102
+#  define DSO_F_DLFCN_MERGER                               130
+#  define DSO_F_DLFCN_NAME_CONVERTER                       123
+#  define DSO_F_DLFCN_UNLOAD                               103
+#  define DSO_F_DL_BIND_FUNC                               104
+#  define DSO_F_DL_LOAD                                    106
+#  define DSO_F_DL_MERGER                                  131
+#  define DSO_F_DL_NAME_CONVERTER                          124
+#  define DSO_F_DL_UNLOAD                                  107
+#  define DSO_F_DSO_BIND_FUNC                              108
+#  define DSO_F_DSO_CONVERT_FILENAME                       126
+#  define DSO_F_DSO_CTRL                                   110
+#  define DSO_F_DSO_FREE                                   111
+#  define DSO_F_DSO_GET_FILENAME                           127
+#  define DSO_F_DSO_GLOBAL_LOOKUP                          139
+#  define DSO_F_DSO_LOAD                                   112
+#  define DSO_F_DSO_MERGE                                  132
+#  define DSO_F_DSO_NEW_METHOD                             113
+#  define DSO_F_DSO_PATHBYADDR                             105
+#  define DSO_F_DSO_SET_FILENAME                           129
+#  define DSO_F_DSO_UP_REF                                 114
+#  define DSO_F_VMS_BIND_SYM                               115
+#  define DSO_F_VMS_LOAD                                   116
+#  define DSO_F_VMS_MERGER                                 133
+#  define DSO_F_VMS_UNLOAD                                 117
+#  define DSO_F_WIN32_BIND_FUNC                            101
+#  define DSO_F_WIN32_GLOBALLOOKUP                         142
+#  define DSO_F_WIN32_JOINER                               135
+#  define DSO_F_WIN32_LOAD                                 120
+#  define DSO_F_WIN32_MERGER                               134
+#  define DSO_F_WIN32_NAME_CONVERTER                       125
+#  define DSO_F_WIN32_PATHBYADDR                           109
+#  define DSO_F_WIN32_SPLITTER                             136
+#  define DSO_F_WIN32_UNLOAD                               121
+
+/*
+ * DSO reason codes.
+ */
+#  define DSO_R_CTRL_FAILED                                100
+#  define DSO_R_DSO_ALREADY_LOADED                         110
+#  define DSO_R_EMPTY_FILE_STRUCTURE                       113
+#  define DSO_R_FAILURE                                    114
+#  define DSO_R_FILENAME_TOO_BIG                           101
+#  define DSO_R_FINISH_FAILED                              102
+#  define DSO_R_INCORRECT_FILE_SYNTAX                      115
+#  define DSO_R_LOAD_FAILED                                103
+#  define DSO_R_NAME_TRANSLATION_FAILED                    109
+#  define DSO_R_NO_FILENAME                                111
+#  define DSO_R_NULL_HANDLE                                104
+#  define DSO_R_SET_FILENAME_FAILED                        112
+#  define DSO_R_STACK_ERROR                                105
+#  define DSO_R_SYM_FAILURE                                106
+#  define DSO_R_UNLOAD_FAILED                              107
+#  define DSO_R_UNSUPPORTED                                108
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/err.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/err.h
@ -0,0 +1,15 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_INTERNAL_ERR_H
+# define OSSL_INTERNAL_ERR_H
+
+void err_free_strings_int(void);
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/nelem.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/nelem.h
@ -0,0 +1,14 @@
+/*
+ * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_INTERNAL_NELEM_H
+# define OSSL_INTERNAL_NELEM_H
+
+# define OSSL_NELEM(x)    (sizeof(x)/sizeof((x)[0]))
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/numbers.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/numbers.h
@ -0,0 +1,68 @@
+/*
+ * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_INTERNAL_NUMBERS_H
+# define OSSL_INTERNAL_NUMBERS_H
+
+# include <limits.h>
+
+# if (-1 & 3) == 0x03		/* Two's complement */
+
+#  define __MAXUINT__(T) ((T) -1)
+#  define __MAXINT__(T) ((T) ((((T) 1) << ((sizeof(T) * CHAR_BIT) - 1)) ^ __MAXUINT__(T)))
+#  define __MININT__(T) (-__MAXINT__(T) - 1)
+
+# elif (-1 & 3) == 0x02		/* One's complement */
+
+#  define __MAXUINT__(T) (((T) -1) + 1)
+#  define __MAXINT__(T) ((T) ((((T) 1) << ((sizeof(T) * CHAR_BIT) - 1)) ^ __MAXUINT__(T)))
+#  define __MININT__(T) (-__MAXINT__(T))
+
+# elif (-1 & 3) == 0x01		/* Sign/magnitude */
+
+#  define __MAXINT__(T) ((T) (((((T) 1) << ((sizeof(T) * CHAR_BIT) - 2)) - 1) | (((T) 1) << ((sizeof(T) * CHAR_BIT) - 2))))
+#  define __MAXUINT__(T) ((T) (__MAXINT__(T) | (((T) 1) << ((sizeof(T) * CHAR_BIT) - 1))))
+#  define __MININT__(T) (-__MAXINT__(T))
+
+# else
+
+#  error "do not know the integer encoding on this architecture"
+
+# endif
+
+# ifndef INT8_MAX
+#  define INT8_MIN __MININT__(int8_t)
+#  define INT8_MAX __MAXINT__(int8_t)
+#  define UINT8_MAX __MAXUINT__(uint8_t)
+# endif
+
+# ifndef INT16_MAX
+#  define INT16_MIN __MININT__(int16_t)
+#  define INT16_MAX __MAXINT__(int16_t)
+#  define UINT16_MAX __MAXUINT__(uint16_t)
+# endif
+
+# ifndef INT32_MAX
+#  define INT32_MIN __MININT__(int32_t)
+#  define INT32_MAX __MAXINT__(int32_t)
+#  define UINT32_MAX __MAXUINT__(uint32_t)
+# endif
+
+# ifndef INT64_MAX
+#  define INT64_MIN __MININT__(int64_t)
+#  define INT64_MAX __MAXINT__(int64_t)
+#  define UINT64_MAX __MAXUINT__(uint64_t)
+# endif
+
+# ifndef SIZE_MAX
+#  define SIZE_MAX __MAXUINT__(size_t)
+# endif
+
+#endif
+
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/o_dir.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/o_dir.h
@ -0,0 +1,52 @@
+/*
+ * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * This file is dual-licensed and is also available under the following
+ * terms:
+ *
+ * Copyright (c) 2004, Richard Levitte <richard@levitte.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef OSSL_INTERNAL_O_DIR_H
+# define OSSL_INTERNAL_O_DIR_H
+
+typedef struct OPENSSL_dir_context_st OPENSSL_DIR_CTX;
+
+/*
+ * returns NULL on error or end-of-directory. If it is end-of-directory,
+ * errno will be zero
+ */
+const char *OPENSSL_DIR_read(OPENSSL_DIR_CTX **ctx, const char *directory);
+/* returns 1 on success, 0 on error */
+int OPENSSL_DIR_end(OPENSSL_DIR_CTX **ctx);
+
+#endif                          /* LPDIR_H */
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/o_str.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/o_str.h
@ -0,0 +1,17 @@
+/*
+ * Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_INTERNAL_O_STR_H
+# define OSSL_INTERNAL_O_STR_H
+
+# include <stddef.h>            /* to get size_t */
+
+int OPENSSL_memcmp(const void *p1, const void *p2, size_t n);
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/refcount.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/refcount.h
@ -0,0 +1,150 @@
+/*
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+#ifndef OSSL_INTERNAL_REFCOUNT_H
+# define OSSL_INTERNAL_REFCOUNT_H
+
+/* Used to checking reference counts, most while doing perl5 stuff :-) */
+# if defined(OPENSSL_NO_STDIO)
+#  if defined(REF_PRINT)
+#   error "REF_PRINT requires stdio"
+#  endif
+# endif
+
+# if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L \
+     && !defined(__STDC_NO_ATOMICS__)
+#  include <stdatomic.h>
+#  define HAVE_C11_ATOMICS
+# endif
+
+# if defined(HAVE_C11_ATOMICS) && defined(ATOMIC_INT_LOCK_FREE) \
+     && ATOMIC_INT_LOCK_FREE > 0
+
+#  define HAVE_ATOMICS 1
+
+typedef _Atomic int CRYPTO_REF_COUNT;
+
+static inline int CRYPTO_UP_REF(_Atomic int *val, int *ret, void *lock)
+{
+    *ret = atomic_fetch_add_explicit(val, 1, memory_order_relaxed) + 1;
+    return 1;
+}
+
+/*
+ * Changes to shared structure other than reference counter have to be
+ * serialized. And any kind of serialization implies a release fence. This
+ * means that by the time reference counter is decremented all other
+ * changes are visible on all processors. Hence decrement itself can be
+ * relaxed. In case it hits zero, object will be destructed. Since it's
+ * last use of the object, destructor programmer might reason that access
+ * to mutable members doesn't have to be serialized anymore, which would
+ * otherwise imply an acquire fence. Hence conditional acquire fence...
+ */
+static inline int CRYPTO_DOWN_REF(_Atomic int *val, int *ret, void *lock)
+{
+    *ret = atomic_fetch_sub_explicit(val, 1, memory_order_relaxed) - 1;
+    if (*ret == 0)
+        atomic_thread_fence(memory_order_acquire);
+    return 1;
+}
+
+# elif defined(__GNUC__) && defined(__ATOMIC_RELAXED) && __GCC_ATOMIC_INT_LOCK_FREE > 0
+
+#  define HAVE_ATOMICS 1
+
+typedef int CRYPTO_REF_COUNT;
+
+static __inline__ int CRYPTO_UP_REF(int *val, int *ret, void *lock)
+{
+    *ret = __atomic_fetch_add(val, 1, __ATOMIC_RELAXED) + 1;
+    return 1;
+}
+
+static __inline__ int CRYPTO_DOWN_REF(int *val, int *ret, void *lock)
+{
+    *ret = __atomic_fetch_sub(val, 1, __ATOMIC_RELAXED) - 1;
+    if (*ret == 0)
+        __atomic_thread_fence(__ATOMIC_ACQUIRE);
+    return 1;
+}
+
+# elif defined(_MSC_VER) && _MSC_VER>=1200
+
+#  define HAVE_ATOMICS 1
+
+typedef volatile int CRYPTO_REF_COUNT;
+
+#  if (defined(_M_ARM) && _M_ARM>=7 && !defined(_WIN32_WCE)) || defined(_M_ARM64)
+#   include <intrin.h>
+#   if defined(_M_ARM64) && !defined(_ARM_BARRIER_ISH)
+#    define _ARM_BARRIER_ISH _ARM64_BARRIER_ISH
+#   endif
+
+static __inline int CRYPTO_UP_REF(volatile int *val, int *ret, void *lock)
+{
+    *ret = _InterlockedExchangeAdd_nf(val, 1) + 1;
+    return 1;
+}
+
+static __inline int CRYPTO_DOWN_REF(volatile int *val, int *ret, void *lock)
+{
+    *ret = _InterlockedExchangeAdd_nf(val, -1) - 1;
+    if (*ret == 0)
+        __dmb(_ARM_BARRIER_ISH);
+    return 1;
+}
+#  else
+#   if !defined(_WIN32_WCE)
+#    pragma intrinsic(_InterlockedExchangeAdd)
+#   else
+#    if _WIN32_WCE >= 0x600
+      extern long __cdecl _InterlockedExchangeAdd(long volatile*, long);
+#    else
+      /* under Windows CE we still have old-style Interlocked* functions */
+      extern long __cdecl InterlockedExchangeAdd(long volatile*, long);
+#     define _InterlockedExchangeAdd InterlockedExchangeAdd
+#    endif
+#   endif
+
+static __inline int CRYPTO_UP_REF(volatile int *val, int *ret, void *lock)
+{
+    *ret = _InterlockedExchangeAdd(val, 1) + 1;
+    return 1;
+}
+
+static __inline int CRYPTO_DOWN_REF(volatile int *val, int *ret, void *lock)
+{
+    *ret = _InterlockedExchangeAdd(val, -1) - 1;
+    return 1;
+}
+#  endif
+
+# else
+
+typedef int CRYPTO_REF_COUNT;
+
+# define CRYPTO_UP_REF(val, ret, lock) CRYPTO_atomic_add(val, 1, ret, lock)
+# define CRYPTO_DOWN_REF(val, ret, lock) CRYPTO_atomic_add(val, -1, ret, lock)
+
+# endif
+
+# if !defined(NDEBUG) && !defined(OPENSSL_NO_STDIO)
+#  define REF_ASSERT_ISNT(test) \
+    (void)((test) ? (OPENSSL_die("refcount error", __FILE__, __LINE__), 1) : 0)
+# else
+#  define REF_ASSERT_ISNT(i)
+# endif
+
+# ifdef REF_PRINT
+#  define REF_PRINT_COUNT(a, b) \
+        fprintf(stderr, "%p:%4d:%s\n", b, b->references, a)
+# else
+#  define REF_PRINT_COUNT(a, b)
+# endif
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/sockets.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/sockets.h
@ -0,0 +1,157 @@
+/*
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+
+#ifndef OSSL_INTERNAL_SOCKETS_H
+# define OSSL_INTERNAL_SOCKETS_H
+
+# if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)
+#  define NO_SYS_PARAM_H
+# endif
+# ifdef WIN32
+#  define NO_SYS_UN_H
+# endif
+# ifdef OPENSSL_SYS_VMS
+#  define NO_SYS_PARAM_H
+#  define NO_SYS_UN_H
+# endif
+
+# ifdef OPENSSL_NO_SOCK
+
+# elif defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+#  if defined(__DJGPP__)
+#   include <sys/socket.h>
+#   include <sys/un.h>
+#   include <tcp.h>
+#   include <netdb.h>
+#   include <arpa/inet.h>
+#   include <netinet/tcp.h>
+#  elif defined(_WIN32_WCE) && _WIN32_WCE<410
+#   define getservbyname _masked_declaration_getservbyname
+#  endif
+#  if !defined(IPPROTO_IP)
+    /* winsock[2].h was included already? */
+#   include <winsock.h>
+#  endif
+#  ifdef getservbyname
+     /* this is used to be wcecompat/include/winsock_extras.h */
+#   undef getservbyname
+struct servent *PASCAL getservbyname(const char *, const char *);
+#  endif
+
+#  ifdef _WIN64
+/*
+ * Even though sizeof(SOCKET) is 8, it's safe to cast it to int, because
+ * the value constitutes an index in per-process table of limited size
+ * and not a real pointer. And we also depend on fact that all processors
+ * Windows run on happen to be two's-complement, which allows to
+ * interchange INVALID_SOCKET and -1.
+ */
+#   define socket(d,t,p)   ((int)socket(d,t,p))
+#   define accept(s,f,l)   ((int)accept(s,f,l))
+#  endif
+
+# else
+
+#  ifndef NO_SYS_PARAM_H
+#   include <sys/param.h>
+#  endif
+#  ifdef OPENSSL_SYS_VXWORKS
+#   include <time.h>
+#  endif
+
+#  include <netdb.h>
+#  if defined(OPENSSL_SYS_VMS_NODECC)
+#   include <socket.h>
+#   include <in.h>
+#   include <inet.h>
+#  else
+#   include <sys/socket.h>
+#   ifndef NO_SYS_UN_H
+#    include <sys/un.h>
+#    ifndef UNIX_PATH_MAX
+#     define UNIX_PATH_MAX sizeof(((struct sockaddr_un *)NULL)->sun_path)
+#    endif
+#   endif
+#   ifdef FILIO_H
+#    include <sys/filio.h> /* FIONBIO in some SVR4, e.g. unixware, solaris */
+#   endif
+#   include <netinet/in.h>
+#   include <arpa/inet.h>
+#   include <netinet/tcp.h>
+#  endif
+
+#  ifdef OPENSSL_SYS_AIX
+#   include <sys/select.h>
+#  endif
+
+#  ifndef VMS
+#   include <sys/ioctl.h>
+#  else
+#   if !defined(TCPIP_TYPE_SOCKETSHR) && defined(__VMS_VER) && (__VMS_VER > 70000000)
+     /* ioctl is only in VMS > 7.0 and when socketshr is not used */
+#    include <sys/ioctl.h>
+#   endif
+#   include <unixio.h>
+#   if defined(TCPIP_TYPE_SOCKETSHR)
+#    include <socketshr.h>
+#   endif
+#  endif
+
+#  ifndef INVALID_SOCKET
+#   define INVALID_SOCKET      (-1)
+#  endif
+# endif
+
+/*
+ * Some IPv6 implementations are broken, you can disable them in known
+ * bad versions.
+ */
+# if !defined(OPENSSL_USE_IPV6)
+#  if defined(AF_INET6)
+#   define OPENSSL_USE_IPV6 1
+#  else
+#   define OPENSSL_USE_IPV6 0
+#  endif
+# endif
+
+# define get_last_socket_error() errno
+# define clear_socket_error()    errno=0
+
+# if defined(OPENSSL_SYS_WINDOWS)
+#  undef get_last_socket_error
+#  undef clear_socket_error
+#  define get_last_socket_error() WSAGetLastError()
+#  define clear_socket_error()    WSASetLastError(0)
+#  define readsocket(s,b,n)       recv((s),(b),(n),0)
+#  define writesocket(s,b,n)      send((s),(b),(n),0)
+# elif defined(__DJGPP__)
+#  define WATT32
+#  define WATT32_NO_OLDIES
+#  define closesocket(s)          close_s(s)
+#  define readsocket(s,b,n)       read_s(s,b,n)
+#  define writesocket(s,b,n)      send(s,b,n,0)
+# elif defined(OPENSSL_SYS_VMS)
+#  define ioctlsocket(a,b,c)      ioctl(a,b,c)
+#  define closesocket(s)          close(s)
+#  define readsocket(s,b,n)       recv((s),(b),(n),0)
+#  define writesocket(s,b,n)      send((s),(b),(n),0)
+# elif defined(OPENSSL_SYS_VXWORKS)
+#  define ioctlsocket(a,b,c)          ioctl((a),(b),(int)(c))
+#  define closesocket(s)              close(s)
+#  define readsocket(s,b,n)           read((s),(b),(n))
+#  define writesocket(s,b,n)          write((s),(char *)(b),(n))
+# else
+#  define ioctlsocket(a,b,c)      ioctl(a,b,c)
+#  define closesocket(s)          close(s)
+#  define readsocket(s,b,n)       read((s),(b),(n))
+#  define writesocket(s,b,n)      write((s),(b),(n))
+# endif
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/sslconf.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/sslconf.h
@ -0,0 +1,20 @@
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_INTERNAL_SSLCONF_H
+# define OSSL_INTERNAL_SSLCONF_H
+
+typedef struct ssl_conf_cmd_st SSL_CONF_CMD;
+
+const SSL_CONF_CMD *conf_ssl_get(size_t idx, const char **name, size_t *cnt);
+int conf_ssl_name_find(const char *name, size_t *idx);
+void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
+                      char **arg);
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/thread_once.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/thread_once.h
@ -0,0 +1,137 @@
+/*
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/crypto.h>
+
+/*
+ * DEFINE_RUN_ONCE: Define an initialiser function that should be run exactly
+ * once. It takes no arguments and returns and int result (1 for success or
+ * 0 for failure). Typical usage might be:
+ *
+ * DEFINE_RUN_ONCE(myinitfunc)
+ * {
+ *     do_some_initialisation();
+ *     if (init_is_successful())
+ *         return 1;
+ *
+ *     return 0;
+ * }
+ */
+#define DEFINE_RUN_ONCE(init)                   \
+    static int init(void);                     \
+    int init##_ossl_ret_ = 0;                   \
+    void init##_ossl_(void)                     \
+    {                                           \
+        init##_ossl_ret_ = init();              \
+    }                                           \
+    static int init(void)
+
+/*
+ * DECLARE_RUN_ONCE: Declare an initialiser function that should be run exactly
+ * once that has been defined in another file via DEFINE_RUN_ONCE().
+ */
+#define DECLARE_RUN_ONCE(init)                  \
+    extern int init##_ossl_ret_;                \
+    void init##_ossl_(void);
+
+/*
+ * DEFINE_RUN_ONCE_STATIC: Define an initialiser function that should be run
+ * exactly once. This function will be declared as static within the file. It
+ * takes no arguments and returns and int result (1 for success or 0 for
+ * failure). Typical usage might be:
+ *
+ * DEFINE_RUN_ONCE_STATIC(myinitfunc)
+ * {
+ *     do_some_initialisation();
+ *     if (init_is_successful())
+ *         return 1;
+ *
+ *     return 0;
+ * }
+ */
+#define DEFINE_RUN_ONCE_STATIC(init)            \
+    static int init(void);                     \
+    static int init##_ossl_ret_ = 0;            \
+    static void init##_ossl_(void)              \
+    {                                           \
+        init##_ossl_ret_ = init();              \
+    }                                           \
+    static int init(void)
+
+/*
+ * DEFINE_RUN_ONCE_STATIC_ALT: Define an alternative initialiser function. This
+ * function will be declared as static within the file. It takes no arguments
+ * and returns an int result (1 for success or 0 for failure). An alternative
+ * initialiser function is expected to be associated with a primary initialiser
+ * function defined via DEFINE_ONCE_STATIC where both functions use the same
+ * CRYPTO_ONCE object to synchronise. Where an alternative initialiser function
+ * is used only one of the primary or the alternative initialiser function will
+ * ever be called - and that function will be called exactly once. Definition
+ * of an alternative initialiser function MUST occur AFTER the definition of the
+ * primary initialiser function.
+ *
+ * Typical usage might be:
+ *
+ * DEFINE_RUN_ONCE_STATIC(myinitfunc)
+ * {
+ *     do_some_initialisation();
+ *     if (init_is_successful())
+ *         return 1;
+ *
+ *     return 0;
+ * }
+ *
+ * DEFINE_RUN_ONCE_STATIC_ALT(myaltinitfunc, myinitfunc)
+ * {
+ *     do_some_alternative_initialisation();
+ *     if (init_is_successful())
+ *         return 1;
+ *
+ *     return 0;
+ * }
+ */
+#define DEFINE_RUN_ONCE_STATIC_ALT(initalt, init) \
+    static int initalt(void);                     \
+    static void initalt##_ossl_(void)             \
+    {                                             \
+        init##_ossl_ret_ = initalt();             \
+    }                                             \
+    static int initalt(void)
+
+/*
+ * RUN_ONCE - use CRYPTO_THREAD_run_once, and check if the init succeeded
+ * @once: pointer to static object of type CRYPTO_ONCE
+ * @init: function name that was previously given to DEFINE_RUN_ONCE,
+ *        DEFINE_RUN_ONCE_STATIC or DECLARE_RUN_ONCE.  This function
+ *        must return 1 for success or 0 for failure.
+ *
+ * The return value is 1 on success (*) or 0 in case of error.
+ *
+ * (*) by convention, since the init function must return 1 on success.
+ */
+#define RUN_ONCE(once, init)                                            \
+    (CRYPTO_THREAD_run_once(once, init##_ossl_) ? init##_ossl_ret_ : 0)
+
+/*
+ * RUN_ONCE_ALT - use CRYPTO_THREAD_run_once, to run an alternative initialiser
+ *                function and check if that initialisation succeeded
+ * @once:    pointer to static object of type CRYPTO_ONCE
+ * @initalt: alternative initialiser function name that was previously given to
+ *           DEFINE_RUN_ONCE_STATIC_ALT.  This function must return 1 for
+ *           success or 0 for failure.
+ * @init:    primary initialiser function name that was previously given to
+ *           DEFINE_RUN_ONCE_STATIC.  This function must return 1 for success or
+ *           0 for failure.
+ *
+ * The return value is 1 on success (*) or 0 in case of error.
+ *
+ * (*) by convention, since the init function must return 1 on success.
+ */
+#define RUN_ONCE_ALT(once, initalt, init)                               \
+    (CRYPTO_THREAD_run_once(once, initalt##_ossl_) ? init##_ossl_ret_ : 0)
--- a/deps/openssl/android/arm64-v8a/usr/local/include/internal/tsan_assist.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/internal/tsan_assist.h
@ -0,0 +1,144 @@
+/*
+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Contemporary compilers implement lock-free atomic memory access
+ * primitives that facilitate writing "thread-opportunistic" or even real
+ * multi-threading low-overhead code. "Thread-opportunistic" is when
+ * exact result is not required, e.g. some statistics, or execution flow
+ * doesn't have to be unambiguous. Simplest example is lazy "constant"
+ * initialization when one can synchronize on variable itself, e.g.
+ *
+ * if (var == NOT_YET_INITIALIZED)
+ *     var = function_returning_same_value();
+ *
+ * This does work provided that loads and stores are single-instruction
+ * operations (and integer ones are on *all* supported platforms), but
+ * it upsets Thread Sanitizer. Suggested solution is
+ *
+ * if (tsan_load(&var) == NOT_YET_INITIALIZED)
+ *     tsan_store(&var, function_returning_same_value());
+ *
+ * Production machine code would be the same, so one can wonder why
+ * bother. Having Thread Sanitizer accept "thread-opportunistic" code
+ * allows to move on trouble-shooting real bugs.
+ *
+ * Resolving Thread Sanitizer nits was the initial purpose for this module,
+ * but it was later extended with more nuanced primitives that are useful
+ * even in "non-opportunistic" scenarios. Most notably verifying if a shared
+ * structure is fully initialized and bypassing the initialization lock.
+ * It's suggested to view macros defined in this module as "annotations" for
+ * thread-safe lock-free code, "Thread-Safe ANnotations"...
+ *
+ * It's assumed that ATOMIC_{LONG|INT}_LOCK_FREE are assigned same value as
+ * ATOMIC_POINTER_LOCK_FREE. And check for >= 2 ensures that corresponding
+ * code is inlined. It should be noted that statistics counters become
+ * accurate in such case.
+ *
+ * Special note about TSAN_QUALIFIER. It might be undesired to use it in
+ * a shared header. Because whether operation on specific variable or member
+ * is atomic or not might be irrelevant in other modules. In such case one
+ * can use TSAN_QUALIFIER in cast specifically when it has to count.
+ */
+
+#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L \
+    && !defined(__STDC_NO_ATOMICS__)
+# include <stdatomic.h>
+
+# if defined(ATOMIC_POINTER_LOCK_FREE) \
+          && ATOMIC_POINTER_LOCK_FREE >= 2
+#  define TSAN_QUALIFIER _Atomic
+#  define tsan_load(ptr) atomic_load_explicit((ptr), memory_order_relaxed)
+#  define tsan_store(ptr, val) atomic_store_explicit((ptr), (val), memory_order_relaxed)
+#  define tsan_counter(ptr) atomic_fetch_add_explicit((ptr), 1, memory_order_relaxed)
+#  define tsan_decr(ptr) atomic_fetch_add_explicit((ptr), -1, memory_order_relaxed)
+#  define tsan_ld_acq(ptr) atomic_load_explicit((ptr), memory_order_acquire)
+#  define tsan_st_rel(ptr, val) atomic_store_explicit((ptr), (val), memory_order_release)
+# endif
+
+#elif defined(__GNUC__) && defined(__ATOMIC_RELAXED)
+
+# if defined(__GCC_ATOMIC_POINTER_LOCK_FREE) \
+          && __GCC_ATOMIC_POINTER_LOCK_FREE >= 2
+#  define TSAN_QUALIFIER volatile
+#  define tsan_load(ptr) __atomic_load_n((ptr), __ATOMIC_RELAXED)
+#  define tsan_store(ptr, val) __atomic_store_n((ptr), (val), __ATOMIC_RELAXED)
+#  define tsan_counter(ptr) __atomic_fetch_add((ptr), 1, __ATOMIC_RELAXED)
+#  define tsan_decr(ptr) __atomic_fetch_add((ptr), -1, __ATOMIC_RELAXED)
+#  define tsan_ld_acq(ptr) __atomic_load_n((ptr), __ATOMIC_ACQUIRE)
+#  define tsan_st_rel(ptr, val) __atomic_store_n((ptr), (val), __ATOMIC_RELEASE)
+# endif
+
+#elif defined(_MSC_VER) && _MSC_VER>=1200 \
+      && (defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64) || \
+          defined(_M_ARM64) || (defined(_M_ARM) && _M_ARM >= 7 && !defined(_WIN32_WCE)))
+/*
+ * There is subtle dependency on /volatile:<iso|ms> command-line option.
+ * "ms" implies same semantic as memory_order_acquire for loads and
+ * memory_order_release for stores, while "iso" - memory_order_relaxed for
+ * either. Real complication is that defaults are different on x86 and ARM.
+ * There is explanation for that, "ms" is backward compatible with earlier
+ * compiler versions, while multi-processor ARM can be viewed as brand new
+ * platform to MSC and its users, and with non-relaxed semantic taking toll
+ * with additional instructions and penalties, it kind of makes sense to
+ * default to "iso"...
+ */
+# define TSAN_QUALIFIER volatile
+# if defined(_M_ARM) || defined(_M_ARM64)
+#  define _InterlockedExchangeAdd _InterlockedExchangeAdd_nf
+#  pragma intrinsic(_InterlockedExchangeAdd_nf)
+#  pragma intrinsic(__iso_volatile_load32, __iso_volatile_store32)
+#  ifdef _WIN64
+#   define _InterlockedExchangeAdd64 _InterlockedExchangeAdd64_nf
+#   pragma intrinsic(_InterlockedExchangeAdd64_nf)
+#   pragma intrinsic(__iso_volatile_load64, __iso_volatile_store64)
+#   define tsan_load(ptr) (sizeof(*(ptr)) == 8 ? __iso_volatile_load64(ptr) \
+                                               : __iso_volatile_load32(ptr))
+#   define tsan_store(ptr, val) (sizeof(*(ptr)) == 8 ? __iso_volatile_store64((ptr), (val)) \
+                                                     : __iso_volatile_store32((ptr), (val)))
+#  else
+#   define tsan_load(ptr) __iso_volatile_load32(ptr)
+#   define tsan_store(ptr, val) __iso_volatile_store32((ptr), (val))
+#  endif
+# else
+#  define tsan_load(ptr) (*(ptr))
+#  define tsan_store(ptr, val) (*(ptr) = (val))
+# endif
+# pragma intrinsic(_InterlockedExchangeAdd)
+# ifdef _WIN64
+#  pragma intrinsic(_InterlockedExchangeAdd64)
+#  define tsan_counter(ptr) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), 1) \
+                                                 : _InterlockedExchangeAdd((ptr), 1))
+#  define tsan_decr(ptr) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), -1) \
+                                                 : _InterlockedExchangeAdd((ptr), -1))
+# else
+#  define tsan_counter(ptr) _InterlockedExchangeAdd((ptr), 1)
+#  define tsan_decr(ptr) _InterlockedExchangeAdd((ptr), -1)
+# endif
+# if !defined(_ISO_VOLATILE)
+#  define tsan_ld_acq(ptr) (*(ptr))
+#  define tsan_st_rel(ptr, val) (*(ptr) = (val))
+# endif
+
+#endif
+
+#ifndef TSAN_QUALIFIER
+
+# define TSAN_QUALIFIER volatile
+# define tsan_load(ptr) (*(ptr))
+# define tsan_store(ptr, val) (*(ptr) = (val))
+# define tsan_counter(ptr) ((*(ptr))++)
+# define tsan_decr(ptr) ((*(ptr))--)
+/*
+ * Lack of tsan_ld_acq and tsan_ld_rel means that compiler support is not
+ * sophisticated enough to support them. Code that relies on them should be
+ * protected with #ifdef tsan_ld_acq with locked fallback.
+ */
+
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/openssl/__DECC_INCLUDE_EPILOGUE.H
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/openssl/__DECC_INCLUDE_EPILOGUE.H
@ -0,0 +1,22 @@
+/*
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * This file is only used by HP C/C++ on VMS, and is included automatically
+ * after each header file from this directory
+ */
+
+/*
+ * The C++ compiler doesn't understand these pragmas, even though it
+ * understands the corresponding command line qualifier.
+ */
+#ifndef __cplusplus
+/* restore state.  Must correspond to the save in __decc_include_prologue.h */
+# pragma names restore
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/openssl/__DECC_INCLUDE_PROLOGUE.H
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/openssl/__DECC_INCLUDE_PROLOGUE.H
@ -0,0 +1,26 @@
+/*
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * This file is only used by HP C/C++ on VMS, and is included automatically
+ * after each header file from this directory
+ */
+
+/*
+ * The C++ compiler doesn't understand these pragmas, even though it
+ * understands the corresponding command line qualifier.
+ */
+#ifndef __cplusplus
+/* save state */
+# pragma names save
+/* have the compiler shorten symbols larger than 31 chars to 23 chars
+ * followed by a 8 hex char CRC
+ */
+# pragma names as_is,shortened
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/openssl/dh.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/openssl/dh.h
@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -29,6 +29,9 @@ extern "C" {
 # ifndef OPENSSL_DH_MAX_MODULUS_BITS
 #  define OPENSSL_DH_MAX_MODULUS_BITS    10000
 # endif
+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
+#  define OPENSSL_DH_CHECK_MAX_MODULUS_BITS  32768
+# endif

 # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024

--- a/deps/openssl/android/arm64-v8a/usr/local/include/openssl/dherr.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/openssl/dherr.h
@ -1,6 +1,6 @@
 /*
 * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -30,6 +30,7 @@ int ERR_load_DH_strings(void);
 #  define DH_F_COMPUTE_KEY                                 102
 #  define DH_F_DHPARAMS_PRINT_FP                           101
 #  define DH_F_DH_BUILTIN_GENPARAMS                        106
+#  define DH_F_DH_CHECK                                    126
 #  define DH_F_DH_CHECK_EX                                 121
 #  define DH_F_DH_CHECK_PARAMS_EX                          122
 #  define DH_F_DH_CHECK_PUB_KEY_EX                         123
--- a/deps/openssl/android/arm64-v8a/usr/local/include/openssl/opensslconf.h.in
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/openssl/opensslconf.h.in
@ -0,0 +1,160 @@
+/*
+ * {- join("\n * ", @autowarntext) -}
+ *
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/opensslv.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#ifdef OPENSSL_ALGORITHM_DEFINES
+# error OPENSSL_ALGORITHM_DEFINES no longer supported
+#endif
+
+/*
+ * OpenSSL was configured with the following options:
+ */
+
+{- if (@{$config{openssl_sys_defines}}) {
+      foreach (@{$config{openssl_sys_defines}}) {
+	$OUT .= "#ifndef $_\n";
+	$OUT .= "# define $_ 1\n";
+	$OUT .= "#endif\n";
+      }
+    }
+    foreach (@{$config{openssl_api_defines}}) {
+        (my $macro, my $value) = $_ =~ /^(.*?)=(.*?)$/;
+        $OUT .= "#define $macro $value\n";
+    }
+    if (@{$config{openssl_algorithm_defines}}) {
+      foreach (@{$config{openssl_algorithm_defines}}) {
+	$OUT .= "#ifndef $_\n";
+	$OUT .= "# define $_\n";
+	$OUT .= "#endif\n";
+      }
+    }
+    if (@{$config{openssl_thread_defines}}) {
+      foreach (@{$config{openssl_thread_defines}}) {
+	$OUT .= "#ifndef $_\n";
+	$OUT .= "# define $_\n";
+	$OUT .= "#endif\n";
+      }
+    }
+    if (@{$config{openssl_other_defines}}) {
+      foreach (@{$config{openssl_other_defines}}) {
+	$OUT .= "#ifndef $_\n";
+	$OUT .= "# define $_\n";
+	$OUT .= "#endif\n";
+      }
+    }
+    "";
+-}
+
+/*
+ * Sometimes OPENSSSL_NO_xxx ends up with an empty file and some compilers
+ * don't like that.  This will hopefully silence them.
+ */
+#define NON_EMPTY_TRANSLATION_UNIT static void *dummy = &dummy;
+
+/*
+ * Applications should use -DOPENSSL_API_COMPAT=<version> to suppress the
+ * declarations of functions deprecated in or before <version>. Otherwise, they
+ * still won't see them if the library has been built to disable deprecated
+ * functions.
+ */
+#ifndef DECLARE_DEPRECATED
+# define DECLARE_DEPRECATED(f)   f;
+# ifdef __GNUC__
+#  if __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ > 0)
+#   undef DECLARE_DEPRECATED
+#   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
+#  endif
+# elif defined(__SUNPRO_C)
+#  if (__SUNPRO_C >= 0x5130)
+#   undef DECLARE_DEPRECATED
+#   define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated));
+#  endif
+# endif
+#endif
+
+#ifndef OPENSSL_FILE
+# ifdef OPENSSL_NO_FILENAMES
+#  define OPENSSL_FILE ""
+#  define OPENSSL_LINE 0
+# else
+#  define OPENSSL_FILE __FILE__
+#  define OPENSSL_LINE __LINE__
+# endif
+#endif
+
+#ifndef OPENSSL_MIN_API
+# define OPENSSL_MIN_API 0
+#endif
+
+#if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < OPENSSL_MIN_API
+# undef OPENSSL_API_COMPAT
+# define OPENSSL_API_COMPAT OPENSSL_MIN_API
+#endif
+
+/*
+ * Do not deprecate things to be deprecated in version 1.2.0 before the
+ * OpenSSL version number matches.
+ */
+#if OPENSSL_VERSION_NUMBER < 0x10200000L
+# define DEPRECATEDIN_1_2_0(f)   f;
+#elif OPENSSL_API_COMPAT < 0x10200000L
+# define DEPRECATEDIN_1_2_0(f)   DECLARE_DEPRECATED(f)
+#else
+# define DEPRECATEDIN_1_2_0(f)
+#endif
+
+#if OPENSSL_API_COMPAT < 0x10100000L
+# define DEPRECATEDIN_1_1_0(f)   DECLARE_DEPRECATED(f)
+#else
+# define DEPRECATEDIN_1_1_0(f)
+#endif
+
+#if OPENSSL_API_COMPAT < 0x10000000L
+# define DEPRECATEDIN_1_0_0(f)   DECLARE_DEPRECATED(f)
+#else
+# define DEPRECATEDIN_1_0_0(f)
+#endif
+
+#if OPENSSL_API_COMPAT < 0x00908000L
+# define DEPRECATEDIN_0_9_8(f)   DECLARE_DEPRECATED(f)
+#else
+# define DEPRECATEDIN_0_9_8(f)
+#endif
+
+/* Generate 80386 code? */
+{- $config{processor} eq "386" ? "#define" : "#undef" -} I386_ONLY
+
+#undef OPENSSL_UNISTD
+#define OPENSSL_UNISTD {- $target{unistd} -}
+
+{- $config{export_var_as_fn} ? "#define" : "#undef" -} OPENSSL_EXPORT_VAR_AS_FUNCTION
+
+/*
+ * The following are cipher-specific, but are part of the public API.
+ */
+#if !defined(OPENSSL_SYS_UEFI)
+{- $config{bn_ll} ? "# define" : "# undef" -} BN_LLONG
+/* Only one for the following should be defined */
+{- $config{b64l} ? "# define" : "# undef" -} SIXTY_FOUR_BIT_LONG
+{- $config{b64}  ? "# define" : "# undef" -} SIXTY_FOUR_BIT
+{- $config{b32}  ? "# define" : "# undef" -} THIRTY_TWO_BIT
+#endif
+
+#define RC4_INT {- $config{rc4_int} -}
+
+#ifdef  __cplusplus
+}
+#endif
--- a/deps/openssl/android/arm64-v8a/usr/local/include/openssl/opensslv.h
+++ b/deps/openssl/android/arm64-v8a/usr/local/include/openssl/opensslv.h
@ -1,5 +1,5 @@
 /*
- * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -39,8 +39,8 @@ extern "C" {
 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
 *  major minor fix final patch/beta)
 */
-# define OPENSSL_VERSION_NUMBER  0x1010114fL
-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1t  7 Feb 2023"
+# define OPENSSL_VERSION_NUMBER  0x1010117fL
+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1w  11 Sep 2023"

 /*-
 * The macros below are to be used for shared library (.so, .dll, ...)
--- a/deps/openssl/android/arm64-v8a/usr/local/lib/pkgconfig/libcrypto.pc
+++ b/deps/openssl/android/arm64-v8a/usr/local/lib/pkgconfig/libcrypto.pc
@ -1,12 +0,0 @@
-prefix=/usr/local
-exec_prefix=${prefix}
-libdir=${exec_prefix}/lib
-includedir=${prefix}/include
-enginesdir=${libdir}/engines-1.1
-
-Name: OpenSSL-libcrypto
-Description: OpenSSL cryptography library
-Version: 1.1.1t
-Libs: -L${libdir} -lcrypto
-Libs.private: -ldl -pthread 
-Cflags: -I${includedir}
--- a/deps/openssl/android/arm64-v8a/usr/local/lib/pkgconfig/libssl.pc
+++ b/deps/openssl/android/arm64-v8a/usr/local/lib/pkgconfig/libssl.pc
@ -1,11 +0,0 @@
-prefix=/usr/local
-exec_prefix=${prefix}
-libdir=${exec_prefix}/lib
-includedir=${prefix}/include
-
-Name: OpenSSL-libssl
-Description: Secure Sockets Layer and cryptography libraries
-Version: 1.1.1t
-Requires.private: libcrypto
-Libs: -L${libdir} -lssl
-Cflags: -I${includedir}
--- a/deps/openssl/android/arm64-v8a/usr/local/lib/pkgconfig/openssl.pc
+++ b/deps/openssl/android/arm64-v8a/usr/local/lib/pkgconfig/openssl.pc
@ -1,9 +0,0 @@
-prefix=/usr/local
-exec_prefix=${prefix}
-libdir=${exec_prefix}/lib
-includedir=${prefix}/include
-
-Name: OpenSSL
-Description: Secure Sockets Layer and cryptography libraries and tools
-Version: 1.1.1t
-Requires: libssl libcrypto
--- a/deps/openssl/android/arm64-v8a/usr/local/share/doc/openssl/html/man1/CA.pl.html
+++ b/deps/openssl/android/arm64-v8a/usr/local/share/doc/openssl/html/man1/CA.pl.html
@ -1,198 +0,0 @@
-<?xml version="1.0" ?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-<title>CA.pl</title>
-<meta http-equiv="content-type" content="text/html; charset=utf-8" />
-<link rev="made" href="mailto:root@localhost" />
-</head>
-
-<body>
-
-
-
-<ul id="index">
-  <li><a href="#NAME">NAME</a></li>
-  <li><a href="#SYNOPSIS">SYNOPSIS</a></li>
-  <li><a href="#DESCRIPTION">DESCRIPTION</a></li>
-  <li><a href="#OPTIONS">OPTIONS</a></li>
-  <li><a href="#EXAMPLES">EXAMPLES</a></li>
-  <li><a href="#DSA-CERTIFICATES">DSA CERTIFICATES</a></li>
-  <li><a href="#NOTES">NOTES</a></li>
-  <li><a href="#SEE-ALSO">SEE ALSO</a></li>
-  <li><a href="#COPYRIGHT">COPYRIGHT</a></li>
-</ul>
-
-<h1 id="NAME">NAME</h1>
-
-<p>CA.pl - friendlier interface for OpenSSL certificate programs</p>
-
-<h1 id="SYNOPSIS">SYNOPSIS</h1>
-
-<p><b>CA.pl</b> <b>-?</b> | <b>-h</b> | <b>-help</b></p>
-
-<p><b>CA.pl</b> <b>-newcert</b> | <b>-newreq</b> | <b>-newreq-nodes</b> | <b>-xsign</b> | <b>-sign</b> | <b>-signCA</b> | <b>-signcert</b> | <b>-crl</b> | <b>-newca</b> [<b>-extra-cmd</b> extra-params]</p>
-
-<p><b>CA.pl</b> <b>-pkcs12</b> [<b>-extra-pkcs12</b> extra-params] [<b>certname</b>]</p>
-
-<p><b>CA.pl</b> <b>-verify</b> [<b>-extra-verify</b> extra-params] <b>certfile</b>...</p>
-
-<p><b>CA.pl</b> <b>-revoke</b> [<b>-extra-ca</b> extra-params] <b>certfile</b> [<b>reason</b>]</p>
-
-<h1 id="DESCRIPTION">DESCRIPTION</h1>
-
-<p>The <b>CA.pl</b> script is a perl script that supplies the relevant command line arguments to the <b>openssl</b> command for some common certificate operations. It is intended to simplify the process of certificate creation and management by the use of some simple options.</p>
-
-<h1 id="OPTIONS">OPTIONS</h1>
-
-<dl>
-
-<dt id="h--help"><b>?</b>, <b>-h</b>, <b>-help</b></dt>
-<dd>
-
-<p>Prints a usage message.</p>
-
-</dd>
-<dt id="newcert"><b>-newcert</b></dt>
-<dd>
-
-<p>Creates a new self signed certificate. The private key is written to the file &quot;newkey.pem&quot; and the request written to the file &quot;newreq.pem&quot;. This argument invokes <b>openssl req</b> command.</p>
-
-</dd>
-<dt id="newreq"><b>-newreq</b></dt>
-<dd>
-
-<p>Creates a new certificate request. The private key is written to the file &quot;newkey.pem&quot; and the request written to the file &quot;newreq.pem&quot;. Executes <b>openssl req</b> command below the hood.</p>
-
-</dd>
-<dt id="newreq-nodes"><b>-newreq-nodes</b></dt>
-<dd>
-
-<p>Is like <b>-newreq</b> except that the private key will not be encrypted. Uses <b>openssl req</b> command.</p>
-
-</dd>
-<dt id="newca"><b>-newca</b></dt>
-<dd>
-
-<p>Creates a new CA hierarchy for use with the <b>ca</b> program (or the <b>-signcert</b> and <b>-xsign</b> options). The user is prompted to enter the filename of the CA certificates (which should also contain the private key) or by hitting ENTER details of the CA will be prompted for. The relevant files and directories are created in a directory called &quot;demoCA&quot; in the current directory. <b>openssl req</b> and <b>openssl ca</b> commands are get invoked.</p>
-
-</dd>
-<dt id="pkcs12"><b>-pkcs12</b></dt>
-<dd>
-
-<p>Create a PKCS#12 file containing the user certificate, private key and CA certificate. It expects the user certificate and private key to be in the file &quot;newcert.pem&quot; and the CA certificate to be in the file demoCA/cacert.pem, it creates a file &quot;newcert.p12&quot;. This command can thus be called after the <b>-sign</b> option. The PKCS#12 file can be imported directly into a browser. If there is an additional argument on the command line it will be used as the &quot;friendly name&quot; for the certificate (which is typically displayed in the browser list box), otherwise the name &quot;My Certificate&quot; is used. Delegates work to <b>openssl pkcs12</b> command.</p>
-
-</dd>
-<dt id="sign--signcert--xsign"><b>-sign</b>, <b>-signcert</b>, <b>-xsign</b></dt>
-<dd>
-
-<p>Calls the <b>ca</b> program to sign a certificate request. It expects the request to be in the file &quot;newreq.pem&quot;. The new certificate is written to the file &quot;newcert.pem&quot; except in the case of the <b>-xsign</b> option when it is written to standard output. Leverages <b>openssl ca</b> command.</p>
-
-</dd>
-<dt id="signCA"><b>-signCA</b></dt>
-<dd>
-
-<p>This option is the same as the <b>-sign</b> option except it uses the configuration file section <b>v3_ca</b> and so makes the signed request a valid CA certificate. This is useful when creating intermediate CA from a root CA. Extra params are passed on to <b>openssl ca</b> command.</p>
-
-</dd>
-<dt id="signcert"><b>-signcert</b></dt>
-<dd>
-
-<p>This option is the same as <b>-sign</b> except it expects a self signed certificate to be present in the file &quot;newreq.pem&quot;. Extra params are passed on to <b>openssl x509</b> and <b>openssl ca</b> commands.</p>
-
-</dd>
-<dt id="crl"><b>-crl</b></dt>
-<dd>
-
-<p>Generate a CRL. Executes <b>openssl ca</b> command.</p>
-
-</dd>
-<dt id="revoke-certfile-reason"><b>-revoke certfile [reason]</b></dt>
-<dd>
-
-<p>Revoke the certificate contained in the specified <b>certfile</b>. An optional reason may be specified, and must be one of: <b>unspecified</b>, <b>keyCompromise</b>, <b>CACompromise</b>, <b>affiliationChanged</b>, <b>superseded</b>, <b>cessationOfOperation</b>, <b>certificateHold</b>, or <b>removeFromCRL</b>. Leverages <b>openssl ca</b> command.</p>
-
-</dd>
-<dt id="verify"><b>-verify</b></dt>
-<dd>
-
-<p>Verifies certificates against the CA certificate for &quot;demoCA&quot;. If no certificates are specified on the command line it tries to verify the file &quot;newcert.pem&quot;. Invokes <b>openssl verify</b> command.</p>
-
-</dd>
-<dt id="extra-req--extra-ca--extra-pkcs12--extra-x509--extra-verify-extra-params"><b>-extra-req</b> | <b>-extra-ca</b> | <b>-extra-pkcs12</b> | <b>-extra-x509</b> | <b>-extra-verify</b> &lt;extra-params&gt;</dt>
-<dd>
-
-<p>The purpose of these parameters is to allow optional parameters to be supplied to <b>openssl</b> that this command executes. The <b>-extra-cmd</b> are specific to the option being used and the <b>openssl</b> command getting invoked. For example when this command invokes <b>openssl req</b> extra parameters can be passed on with the <b>-extra-req</b> parameter. The <b>openssl</b> commands being invoked per option are documented below. Users should consult <b>openssl</b> command documentation for more information.</p>
-
-</dd>
-</dl>
-
-<h1 id="EXAMPLES">EXAMPLES</h1>
-
-<p>Create a CA hierarchy:</p>
-
-<pre><code>CA.pl -newca</code></pre>
-
-<p>Complete certificate creation example: create a CA, create a request, sign the request and finally create a PKCS#12 file containing it.</p>
-
-<pre><code>CA.pl -newca
-CA.pl -newreq
-CA.pl -sign
-CA.pl -pkcs12 &quot;My Test Certificate&quot;</code></pre>
-
-<h1 id="DSA-CERTIFICATES">DSA CERTIFICATES</h1>
-
-<p>Although the <b>CA.pl</b> creates RSA CAs and requests it is still possible to use it with DSA certificates and requests using the <a href="../man1/req.html">req(1)</a> command directly. The following example shows the steps that would typically be taken.</p>
-
-<p>Create some DSA parameters:</p>
-
-<pre><code>openssl dsaparam -out dsap.pem 1024</code></pre>
-
-<p>Create a DSA CA certificate and private key:</p>
-
-<pre><code>openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem</code></pre>
-
-<p>Create the CA directories and files:</p>
-
-<pre><code>CA.pl -newca</code></pre>
-
-<p>enter cacert.pem when prompted for the CA filename.</p>
-
-<p>Create a DSA certificate request and private key (a different set of parameters can optionally be created first):</p>
-
-<pre><code>openssl req -out newreq.pem -newkey dsa:dsap.pem</code></pre>
-
-<p>Sign the request:</p>
-
-<pre><code>CA.pl -sign</code></pre>
-
-<h1 id="NOTES">NOTES</h1>
-
-<p>Most of the filenames mentioned can be modified by editing the <b>CA.pl</b> script.</p>
-
-<p>If the demoCA directory already exists then the <b>-newca</b> command will not overwrite it and will do nothing. This can happen if a previous call using the <b>-newca</b> option terminated abnormally. To get the correct behaviour delete the demoCA directory if it already exists.</p>
-
-<p>Under some environments it may not be possible to run the <b>CA.pl</b> script directly (for example Win32) and the default configuration file location may be wrong. In this case the command:</p>
-
-<pre><code>perl -S CA.pl</code></pre>
-
-<p>can be used and the <b>OPENSSL_CONF</b> environment variable changed to point to the correct path of the configuration file.</p>
-
-<p>The script is intended as a simple front end for the <b>openssl</b> program for use by a beginner. Its behaviour isn&#39;t always what is wanted. For more control over the behaviour of the certificate commands call the <b>openssl</b> command directly.</p>
-
-<h1 id="SEE-ALSO">SEE ALSO</h1>
-
-<p><a href="../man1/x509.html">x509(1)</a>, <a href="../man1/ca.html">ca(1)</a>, <a href="../man1/req.html">req(1)</a>, <a href="../man1/pkcs12.html">pkcs12(1)</a>, <a href="../man5/config.html">config(5)</a></p>
-
-<h1 id="COPYRIGHT">COPYRIGHT</h1>
-
-<p>Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.</p>
-
-<p>Licensed under the OpenSSL license (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
-
-
-</body>
-
-</html>
-
-
--- a/deps/openssl/android/arm64-v8a/usr/local/share/doc/openssl/html/man1/asn1parse.html
+++ b/deps/openssl/android/arm64-v8a/usr/local/share/doc/openssl/html/man1/asn1parse.html
@ -1,227 +0,0 @@
-<?xml version="1.0" ?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-<title>asn1parse</title>
-<meta http-equiv="content-type" content="text/html; charset=utf-8" />
-<link rev="made" href="mailto:root@localhost" />
-</head>
-
-<body>
-
-
-
-<ul id="index">
-  <li><a href="#NAME">NAME</a></li>
-  <li><a href="#SYNOPSIS">SYNOPSIS</a></li>
-  <li><a href="#DESCRIPTION">DESCRIPTION</a></li>
-  <li><a href="#OPTIONS">OPTIONS</a>
-    <ul>
-      <li><a href="#Output">Output</a></li>
-    </ul>
-  </li>
-  <li><a href="#NOTES">NOTES</a></li>
-  <li><a href="#EXAMPLES">EXAMPLES</a></li>
-  <li><a href="#BUGS">BUGS</a></li>
-  <li><a href="#SEE-ALSO">SEE ALSO</a></li>
-  <li><a href="#COPYRIGHT">COPYRIGHT</a></li>
-</ul>
-
-<h1 id="NAME">NAME</h1>
-
-<p>openssl-asn1parse, asn1parse - ASN.1 parsing tool</p>
-
-<h1 id="SYNOPSIS">SYNOPSIS</h1>
-
-<p><b>openssl</b> <b>asn1parse</b> [<b>-help</b>] [<b>-inform PEM|DER</b>] [<b>-in filename</b>] [<b>-out filename</b>] [<b>-noout</b>] [<b>-offset number</b>] [<b>-length number</b>] [<b>-i</b>] [<b>-oid filename</b>] [<b>-dump</b>] [<b>-dlimit num</b>] [<b>-strparse offset</b>] [<b>-genstr string</b>] [<b>-genconf file</b>] [<b>-strictpem</b>] [<b>-item name</b>]</p>
-
-<h1 id="DESCRIPTION">DESCRIPTION</h1>
-
-<p>The <b>asn1parse</b> command is a diagnostic utility that can parse ASN.1 structures. It can also be used to extract data from ASN.1 formatted data.</p>
-
-<h1 id="OPTIONS">OPTIONS</h1>
-
-<dl>
-
-<dt id="help"><b>-help</b></dt>
-<dd>
-
-<p>Print out a usage message.</p>
-
-</dd>
-<dt id="inform-DER-PEM"><b>-inform</b> <b>DER|PEM</b></dt>
-<dd>
-
-<p>The input format. <b>DER</b> is binary format and <b>PEM</b> (the default) is base64 encoded.</p>
-
-</dd>
-<dt id="in-filename"><b>-in filename</b></dt>
-<dd>
-
-<p>The input file, default is standard input.</p>
-
-</dd>
-<dt id="out-filename"><b>-out filename</b></dt>
-<dd>
-
-<p>Output file to place the DER encoded data into. If this option is not present then no data will be output. This is most useful when combined with the <b>-strparse</b> option.</p>
-
-</dd>
-<dt id="noout"><b>-noout</b></dt>
-<dd>
-
-<p>Don&#39;t output the parsed version of the input file.</p>
-
-</dd>
-<dt id="offset-number"><b>-offset number</b></dt>
-<dd>
-
-<p>Starting offset to begin parsing, default is start of file.</p>
-
-</dd>
-<dt id="length-number"><b>-length number</b></dt>
-<dd>
-
-<p>Number of bytes to parse, default is until end of file.</p>
-
-</dd>
-<dt id="i"><b>-i</b></dt>
-<dd>
-
-<p>Indents the output according to the &quot;depth&quot; of the structures.</p>
-
-</dd>
-<dt id="oid-filename"><b>-oid filename</b></dt>
-<dd>
-
-<p>A file containing additional OBJECT IDENTIFIERs (OIDs). The format of this file is described in the NOTES section below.</p>
-
-</dd>
-<dt id="dump"><b>-dump</b></dt>
-<dd>
-
-<p>Dump unknown data in hex format.</p>
-
-</dd>
-<dt id="dlimit-num"><b>-dlimit num</b></dt>
-<dd>
-
-<p>Like <b>-dump</b>, but only the first <b>num</b> bytes are output.</p>
-
-</dd>
-<dt id="strparse-offset"><b>-strparse offset</b></dt>
-<dd>
-
-<p>Parse the contents octets of the ASN.1 object starting at <b>offset</b>. This option can be used multiple times to &quot;drill down&quot; into a nested structure.</p>
-
-</dd>
-<dt id="genstr-string--genconf-file"><b>-genstr string</b>, <b>-genconf file</b></dt>
-<dd>
-
-<p>Generate encoded data based on <b>string</b>, <b>file</b> or both using <a href="../man3/ASN1_generate_nconf.html">ASN1_generate_nconf(3)</a> format. If <b>file</b> only is present then the string is obtained from the default section using the name <b>asn1</b>. The encoded data is passed through the ASN1 parser and printed out as though it came from a file, the contents can thus be examined and written to a file using the <b>out</b> option.</p>
-
-</dd>
-<dt id="strictpem"><b>-strictpem</b></dt>
-<dd>
-
-<p>If this option is used then <b>-inform</b> will be ignored. Without this option any data in a PEM format input file will be treated as being base64 encoded and processed whether it has the normal PEM BEGIN and END markers or not. This option will ignore any data prior to the start of the BEGIN marker, or after an END marker in a PEM file.</p>
-
-</dd>
-<dt id="item-name"><b>-item name</b></dt>
-<dd>
-
-<p>Attempt to decode and print the data as <b>ASN1_ITEM name</b>. This can be used to print out the fields of any supported ASN.1 structure if the type is known.</p>
-
-</dd>
-</dl>
-
-<h2 id="Output">Output</h2>
-
-<p>The output will typically contain lines like this:</p>
-
-<pre><code>0:d=0  hl=4 l= 681 cons: SEQUENCE</code></pre>
-
-<p>.....</p>
-
-<pre><code>229:d=3  hl=3 l= 141 prim: BIT STRING
-373:d=2  hl=3 l= 162 cons: cont [ 3 ]
-376:d=3  hl=3 l= 159 cons: SEQUENCE
-379:d=4  hl=2 l=  29 cons: SEQUENCE
-381:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
-386:d=5  hl=2 l=  22 prim: OCTET STRING
-410:d=4  hl=2 l= 112 cons: SEQUENCE
-412:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
-417:d=5  hl=2 l= 105 prim: OCTET STRING
-524:d=4  hl=2 l=  12 cons: SEQUENCE</code></pre>
-
-<p>.....</p>
-
-<p>This example is part of a self-signed certificate. Each line starts with the offset in decimal. <b>d=XX</b> specifies the current depth. The depth is increased within the scope of any SET or SEQUENCE. <b>hl=XX</b> gives the header length (tag and length octets) of the current type. <b>l=XX</b> gives the length of the contents octets.</p>
-
-<p>The <b>-i</b> option can be used to make the output more readable.</p>
-
-<p>Some knowledge of the ASN.1 structure is needed to interpret the output.</p>
-
-<p>In this example the BIT STRING at offset 229 is the certificate public key. The contents octets of this will contain the public key information. This can be examined using the option <b>-strparse 229</b> to yield:</p>
-
-<pre><code>  0:d=0  hl=3 l= 137 cons: SEQUENCE
-  3:d=1  hl=3 l= 129 prim: INTEGER           :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897
-135:d=1  hl=2 l=   3 prim: INTEGER           :010001</code></pre>
-
-<h1 id="NOTES">NOTES</h1>
-
-<p>If an OID is not part of OpenSSL&#39;s internal table it will be represented in numerical form (for example 1.2.3.4). The file passed to the <b>-oid</b> option allows additional OIDs to be included. Each line consists of three columns, the first column is the OID in numerical format and should be followed by white space. The second column is the &quot;short name&quot; which is a single word followed by white space. The final column is the rest of the line and is the &quot;long name&quot;. <b>asn1parse</b> displays the long name. Example:</p>
-
-<p><code>1.2.3.4 shortName A long name</code></p>
-
-<h1 id="EXAMPLES">EXAMPLES</h1>
-
-<p>Parse a file:</p>
-
-<pre><code>openssl asn1parse -in file.pem</code></pre>
-
-<p>Parse a DER file:</p>
-
-<pre><code>openssl asn1parse -inform DER -in file.der</code></pre>
-
-<p>Generate a simple UTF8String:</p>
-
-<pre><code>openssl asn1parse -genstr &#39;UTF8:Hello World&#39;</code></pre>
-
-<p>Generate and write out a UTF8String, don&#39;t print parsed output:</p>
-
-<pre><code>openssl asn1parse -genstr &#39;UTF8:Hello World&#39; -noout -out utf8.der</code></pre>
-
-<p>Generate using a config file:</p>
-
-<pre><code>openssl asn1parse -genconf asn1.cnf -noout -out asn1.der</code></pre>
-
-<p>Example config file:</p>
-
-<pre><code>asn1=SEQUENCE:seq_sect
-
-[seq_sect]
-
-field1=BOOL:TRUE
-field2=EXP:0, UTF8:some random string</code></pre>
-
-<h1 id="BUGS">BUGS</h1>
-
-<p>There should be options to change the format of output lines. The output of some ASN.1 types is not well handled (if at all).</p>
-
-<h1 id="SEE-ALSO">SEE ALSO</h1>
-
-<p><a href="../man3/ASN1_generate_nconf.html">ASN1_generate_nconf(3)</a></p>
-
-<h1 id="COPYRIGHT">COPYRIGHT</h1>
-
-<p>Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.</p>
-
-<p>Licensed under the OpenSSL license (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
-
-
-</body>
-
-</html>
-
-
--- a/deps/openssl/android/arm64-v8a/usr/local/share/doc/openssl/html/man1/c_rehash.html
+++ b/deps/openssl/android/arm64-v8a/usr/local/share/doc/openssl/html/man1/c_rehash.html
@ -1 +0,0 @@
-rehash.html
--- a/deps/openssl/android/arm64-v8a/usr/local/share/doc/openssl/html/man1/ca.html
+++ b/deps/openssl/android/arm64-v8a/usr/local/share/doc/openssl/html/man1/ca.html
@ -1,671 +0,0 @@
-<?xml version="1.0" ?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-<title>ca</title>
-<meta http-equiv="content-type" content="text/html; charset=utf-8" />
-<link rev="made" href="mailto:root@localhost" />
-</head>
-
-<body>
-
-
-
-<ul id="index">
-  <li><a href="#NAME">NAME</a></li>
-  <li><a href="#SYNOPSIS">SYNOPSIS</a></li>
-  <li><a href="#DESCRIPTION">DESCRIPTION</a></li>
-  <li><a href="#OPTIONS">OPTIONS</a></li>
-  <li><a href="#CRL-OPTIONS">CRL OPTIONS</a></li>
-  <li><a href="#CONFIGURATION-FILE-OPTIONS">CONFIGURATION FILE OPTIONS</a></li>
-  <li><a href="#POLICY-FORMAT">POLICY FORMAT</a></li>
-  <li><a href="#SPKAC-FORMAT">SPKAC FORMAT</a></li>
-  <li><a href="#EXAMPLES">EXAMPLES</a></li>
-  <li><a href="#FILES">FILES</a></li>
-  <li><a href="#RESTRICTIONS">RESTRICTIONS</a></li>
-  <li><a href="#BUGS">BUGS</a></li>
-  <li><a href="#WARNINGS">WARNINGS</a></li>
-  <li><a href="#HISTORY">HISTORY</a></li>
-  <li><a href="#SEE-ALSO">SEE ALSO</a></li>
-  <li><a href="#COPYRIGHT">COPYRIGHT</a></li>
-</ul>
-
-<h1 id="NAME">NAME</h1>
-
-<p>openssl-ca, ca - sample minimal CA application</p>
-
-<h1 id="SYNOPSIS">SYNOPSIS</h1>
-
-<p><b>openssl</b> <b>ca</b> [<b>-help</b>] [<b>-verbose</b>] [<b>-config filename</b>] [<b>-name section</b>] [<b>-gencrl</b>] [<b>-revoke file</b>] [<b>-valid file</b>] [<b>-status serial</b>] [<b>-updatedb</b>] [<b>-crl_reason reason</b>] [<b>-crl_hold instruction</b>] [<b>-crl_compromise time</b>] [<b>-crl_CA_compromise time</b>] [<b>-crldays days</b>] [<b>-crlhours hours</b>] [<b>-crlexts section</b>] [<b>-startdate date</b>] [<b>-enddate date</b>] [<b>-days arg</b>] [<b>-md arg</b>] [<b>-policy arg</b>] [<b>-keyfile arg</b>] [<b>-keyform PEM|DER</b>] [<b>-key arg</b>] [<b>-passin arg</b>] [<b>-cert file</b>] [<b>-selfsign</b>] [<b>-in file</b>] [<b>-out file</b>] [<b>-notext</b>] [<b>-outdir dir</b>] [<b>-infiles</b>] [<b>-spkac file</b>] [<b>-ss_cert file</b>] [<b>-preserveDN</b>] [<b>-noemailDN</b>] [<b>-batch</b>] [<b>-msie_hack</b>] [<b>-extensions section</b>] [<b>-extfile section</b>] [<b>-engine id</b>] [<b>-subj arg</b>] [<b>-utf8</b>] [<b>-sigopt nm:v</b>] [<b>-create_serial</b>] [<b>-rand_serial</b>] [<b>-multivalue-rdn</b>] [<b>-rand file...</b>] [<b>-writerand file</b>]</p>
-
-<h1 id="DESCRIPTION">DESCRIPTION</h1>
-
-<p>The <b>ca</b> command is a minimal CA application. It can be used to sign certificate requests in a variety of forms and generate CRLs it also maintains a text database of issued certificates and their status.</p>
-
-<p>The options descriptions will be divided into each purpose.</p>
-
-<h1 id="OPTIONS">OPTIONS</h1>
-
-<dl>
-
-<dt id="help"><b>-help</b></dt>
-<dd>
-
-<p>Print out a usage message.</p>
-
-</dd>
-<dt id="verbose"><b>-verbose</b></dt>
-<dd>
-
-<p>This prints extra details about the operations being performed.</p>
-
-</dd>
-<dt id="config-filename"><b>-config filename</b></dt>
-<dd>
-
-<p>Specifies the configuration file to use. Optional; for a description of the default value, see <a href="../man1/openssl.html">&quot;COMMAND SUMMARY&quot; in openssl(1)</a>.</p>
-
-</dd>
-<dt id="name-section"><b>-name section</b></dt>
-<dd>
-
-<p>Specifies the configuration file section to use (overrides <b>default_ca</b> in the <b>ca</b> section).</p>
-
-</dd>
-<dt id="in-filename"><b>-in filename</b></dt>
-<dd>
-
-<p>An input filename containing a single certificate request to be signed by the CA.</p>
-
-</dd>
-<dt id="ss_cert-filename"><b>-ss_cert filename</b></dt>
-<dd>
-
-<p>A single self-signed certificate to be signed by the CA.</p>
-
-</dd>
-<dt id="spkac-filename"><b>-spkac filename</b></dt>
-<dd>
-
-<p>A file containing a single Netscape signed public key and challenge and additional field values to be signed by the CA. See the <b>SPKAC FORMAT</b> section for information on the required input and output format.</p>
-
-</dd>
-<dt id="infiles"><b>-infiles</b></dt>
-<dd>
-
-<p>If present this should be the last option, all subsequent arguments are taken as the names of files containing certificate requests.</p>
-
-</dd>
-<dt id="out-filename"><b>-out filename</b></dt>
-<dd>
-
-<p>The output file to output certificates to. The default is standard output. The certificate details will also be printed out to this file in PEM format (except that <b>-spkac</b> outputs DER format).</p>
-
-</dd>
-<dt id="outdir-directory"><b>-outdir directory</b></dt>
-<dd>
-
-<p>The directory to output certificates to. The certificate will be written to a filename consisting of the serial number in hex with &quot;.pem&quot; appended.</p>
-
-</dd>
-<dt id="cert"><b>-cert</b></dt>
-<dd>
-
-<p>The CA certificate file.</p>
-
-</dd>
-<dt id="keyfile-filename"><b>-keyfile filename</b></dt>
-<dd>
-
-<p>The private key to sign requests with.</p>
-
-</dd>
-<dt id="keyform-PEM-DER"><b>-keyform PEM|DER</b></dt>
-<dd>
-
-<p>The format of the data in the private key file. The default is PEM.</p>
-
-</dd>
-<dt id="sigopt-nm:v"><b>-sigopt nm:v</b></dt>
-<dd>
-
-<p>Pass options to the signature algorithm during sign or verify operations. Names and values of these options are algorithm-specific.</p>
-
-</dd>
-<dt id="key-password"><b>-key password</b></dt>
-<dd>
-
-<p>The password used to encrypt the private key. Since on some systems the command line arguments are visible (e.g. Unix with the &#39;ps&#39; utility) this option should be used with caution.</p>
-
-</dd>
-<dt id="selfsign"><b>-selfsign</b></dt>
-<dd>
-
-<p>Indicates the issued certificates are to be signed with the key the certificate requests were signed with (given with <b>-keyfile</b>). Certificate requests signed with a different key are ignored. If <b>-spkac</b>, <b>-ss_cert</b> or <b>-gencrl</b> are given, <b>-selfsign</b> is ignored.</p>
-
-<p>A consequence of using <b>-selfsign</b> is that the self-signed certificate appears among the entries in the certificate database (see the configuration option <b>database</b>), and uses the same serial number counter as all other certificates sign with the self-signed certificate.</p>
-
-</dd>
-<dt id="passin-arg"><b>-passin arg</b></dt>
-<dd>
-
-<p>The key password source. For more information about the format of <b>arg</b> see <a href="../man1/openssl.html">&quot;Pass Phrase Options&quot; in openssl(1)</a>.</p>
-
-</dd>
-<dt id="notext"><b>-notext</b></dt>
-<dd>
-
-<p>Don&#39;t output the text form of a certificate to the output file.</p>
-
-</dd>
-<dt id="startdate-date"><b>-startdate date</b></dt>
-<dd>
-
-<p>This allows the start date to be explicitly set. The format of the date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure), or YYYYMMDDHHMMSSZ (the same as an ASN1 GeneralizedTime structure). In both formats, seconds SS and timezone Z must be present.</p>
-
-</dd>
-<dt id="enddate-date"><b>-enddate date</b></dt>
-<dd>
-
-<p>This allows the expiry date to be explicitly set. The format of the date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure), or YYYYMMDDHHMMSSZ (the same as an ASN1 GeneralizedTime structure). In both formats, seconds SS and timezone Z must be present.</p>
-
-</dd>
-<dt id="days-arg"><b>-days arg</b></dt>
-<dd>
-
-<p>The number of days to certify the certificate for.</p>
-
-</dd>
-<dt id="md-alg"><b>-md alg</b></dt>
-<dd>
-
-<p>The message digest to use. Any digest supported by the OpenSSL <b>dgst</b> command can be used. For signing algorithms that do not support a digest (i.e. Ed25519 and Ed448) any message digest that is set is ignored. This option also applies to CRLs.</p>
-
-</dd>
-<dt id="policy-arg"><b>-policy arg</b></dt>
-<dd>
-
-<p>This option defines the CA &quot;policy&quot; to use. This is a section in the configuration file which decides which fields should be mandatory or match the CA certificate. Check out the <b>POLICY FORMAT</b> section for more information.</p>
-
-</dd>
-<dt id="msie_hack"><b>-msie_hack</b></dt>
-<dd>
-
-<p>This is a deprecated option to make <b>ca</b> work with very old versions of the IE certificate enrollment control &quot;certenr3&quot;. It used UniversalStrings for almost everything. Since the old control has various security bugs its use is strongly discouraged.</p>
-
-</dd>
-<dt id="preserveDN"><b>-preserveDN</b></dt>
-<dd>
-
-<p>Normally the DN order of a certificate is the same as the order of the fields in the relevant policy section. When this option is set the order is the same as the request. This is largely for compatibility with the older IE enrollment control which would only accept certificates if their DNs match the order of the request. This is not needed for Xenroll.</p>
-
-</dd>
-<dt id="noemailDN"><b>-noemailDN</b></dt>
-<dd>
-
-<p>The DN of a certificate can contain the EMAIL field if present in the request DN, however, it is good policy just having the e-mail set into the altName extension of the certificate. When this option is set the EMAIL field is removed from the certificate&#39; subject and set only in the, eventually present, extensions. The <b>email_in_dn</b> keyword can be used in the configuration file to enable this behaviour.</p>
-
-</dd>
-<dt id="batch"><b>-batch</b></dt>
-<dd>
-
-<p>This sets the batch mode. In this mode no questions will be asked and all certificates will be certified automatically.</p>
-
-</dd>
-<dt id="extensions-section"><b>-extensions section</b></dt>
-<dd>
-
-<p>The section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to <b>x509_extensions</b> unless the <b>-extfile</b> option is used). If no extension section is present then, a V1 certificate is created. If the extension section is present (even if it is empty), then a V3 certificate is created. See the <a href="../man5/x509v3_config.html">x509v3_config(5)</a> manual page for details of the extension section format.</p>
-
-</dd>
-<dt id="extfile-file"><b>-extfile file</b></dt>
-<dd>
-
-<p>An additional configuration file to read certificate extensions from (using the default section unless the <b>-extensions</b> option is also used).</p>
-
-</dd>
-<dt id="engine-id"><b>-engine id</b></dt>
-<dd>
-
-<p>Specifying an engine (by its unique <b>id</b> string) will cause <b>ca</b> to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms.</p>
-
-</dd>
-<dt id="subj-arg"><b>-subj arg</b></dt>
-<dd>
-
-<p>Supersedes subject name given in the request. The arg must be formatted as <i>/type0=value0/type1=value1/type2=...</i>. Keyword characters may be escaped by \ (backslash), and whitespace is retained. Empty values are permitted, but the corresponding type will not be included in the resulting certificate.</p>
-
-</dd>
-<dt id="utf8"><b>-utf8</b></dt>
-<dd>
-
-<p>This option causes field values to be interpreted as UTF8 strings, by default they are interpreted as ASCII. This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid UTF8 strings.</p>
-
-</dd>
-<dt id="create_serial"><b>-create_serial</b></dt>
-<dd>
-
-<p>If reading serial from the text file as specified in the configuration fails, specifying this option creates a new random serial to be used as next serial number. To get random serial numbers, use the <b>-rand_serial</b> flag instead; this should only be used for simple error-recovery.</p>
-
-</dd>
-<dt id="rand_serial"><b>-rand_serial</b></dt>
-<dd>
-
-<p>Generate a large random number to use as the serial number. This overrides any option or configuration to use a serial number file.</p>
-
-</dd>
-<dt id="multivalue-rdn"><b>-multivalue-rdn</b></dt>
-<dd>
-
-<p>This option causes the -subj argument to be interpreted with full support for multivalued RDNs. Example:</p>
-
-<p><i>/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe</i></p>
-
-<p>If -multi-rdn is not used then the UID value is <i>123456+CN=John Doe</i>.</p>
-
-</dd>
-<dt id="rand-file"><b>-rand file...</b></dt>
-<dd>
-
-<p>A file or files containing random data used to seed the random number generator. Multiple files can be specified separated by an OS-dependent character. The separator is <b>;</b> for MS-Windows, <b>,</b> for OpenVMS, and <b>:</b> for all others.</p>
-
-</dd>
-<dt id="writerand-file">[<b>-writerand file</b>]</dt>
-<dd>
-
-<p>Writes random data to the specified <i>file</i> upon exit. This can be used with a subsequent <b>-rand</b> flag.</p>
-
-</dd>
-</dl>
-
-<h1 id="CRL-OPTIONS">CRL OPTIONS</h1>
-
-<dl>
-
-<dt id="gencrl"><b>-gencrl</b></dt>
-<dd>
-
-<p>This option generates a CRL based on information in the index file.</p>
-
-</dd>
-<dt id="crldays-num"><b>-crldays num</b></dt>
-<dd>
-
-<p>The number of days before the next CRL is due. That is the days from now to place in the CRL nextUpdate field.</p>
-
-</dd>
-<dt id="crlhours-num"><b>-crlhours num</b></dt>
-<dd>
-
-<p>The number of hours before the next CRL is due.</p>
-
-</dd>
-<dt id="revoke-filename"><b>-revoke filename</b></dt>
-<dd>
-
-<p>A filename containing a certificate to revoke.</p>
-
-</dd>
-<dt id="valid-filename"><b>-valid filename</b></dt>
-<dd>
-
-<p>A filename containing a certificate to add a Valid certificate entry.</p>
-
-</dd>
-<dt id="status-serial"><b>-status serial</b></dt>
-<dd>
-
-<p>Displays the revocation status of the certificate with the specified serial number and exits.</p>
-
-</dd>
-<dt id="updatedb"><b>-updatedb</b></dt>
-<dd>
-
-<p>Updates the database index to purge expired certificates.</p>
-
-</dd>
-<dt id="crl_reason-reason"><b>-crl_reason reason</b></dt>
-<dd>
-
-<p>Revocation reason, where <b>reason</b> is one of: <b>unspecified</b>, <b>keyCompromise</b>, <b>CACompromise</b>, <b>affiliationChanged</b>, <b>superseded</b>, <b>cessationOfOperation</b>, <b>certificateHold</b> or <b>removeFromCRL</b>. The matching of <b>reason</b> is case insensitive. Setting any revocation reason will make the CRL v2.</p>
-
-<p>In practice <b>removeFromCRL</b> is not particularly useful because it is only used in delta CRLs which are not currently implemented.</p>
-
-</dd>
-<dt id="crl_hold-instruction"><b>-crl_hold instruction</b></dt>
-<dd>
-
-<p>This sets the CRL revocation reason code to <b>certificateHold</b> and the hold instruction to <b>instruction</b> which must be an OID. Although any OID can be used only <b>holdInstructionNone</b> (the use of which is discouraged by RFC2459) <b>holdInstructionCallIssuer</b> or <b>holdInstructionReject</b> will normally be used.</p>
-
-</dd>
-<dt id="crl_compromise-time"><b>-crl_compromise time</b></dt>
-<dd>
-
-<p>This sets the revocation reason to <b>keyCompromise</b> and the compromise time to <b>time</b>. <b>time</b> should be in GeneralizedTime format that is <b>YYYYMMDDHHMMSSZ</b>.</p>
-
-</dd>
-<dt id="crl_CA_compromise-time"><b>-crl_CA_compromise time</b></dt>
-<dd>
-
-<p>This is the same as <b>crl_compromise</b> except the revocation reason is set to <b>CACompromise</b>.</p>
-
-</dd>
-<dt id="crlexts-section"><b>-crlexts section</b></dt>
-<dd>
-
-<p>The section of the configuration file containing CRL extensions to include. If no CRL extension section is present then a V1 CRL is created, if the CRL extension section is present (even if it is empty) then a V2 CRL is created. The CRL extensions specified are CRL extensions and <b>not</b> CRL entry extensions. It should be noted that some software (for example Netscape) can&#39;t handle V2 CRLs. See <a href="../man5/x509v3_config.html">x509v3_config(5)</a> manual page for details of the extension section format.</p>
-
-</dd>
-</dl>
-
-<h1 id="CONFIGURATION-FILE-OPTIONS">CONFIGURATION FILE OPTIONS</h1>
-
-<p>The section of the configuration file containing options for <b>ca</b> is found as follows: If the <b>-name</b> command line option is used, then it names the section to be used. Otherwise the section to be used must be named in the <b>default_ca</b> option of the <b>ca</b> section of the configuration file (or in the default section of the configuration file). Besides <b>default_ca</b>, the following options are read directly from the <b>ca</b> section: RANDFILE preserve msie_hack With the exception of <b>RANDFILE</b>, this is probably a bug and may change in future releases.</p>
-
-<p>Many of the configuration file options are identical to command line options. Where the option is present in the configuration file and the command line the command line value is used. Where an option is described as mandatory then it must be present in the configuration file or the command line equivalent (if any) used.</p>
-
-<dl>
-
-<dt id="oid_file"><b>oid_file</b></dt>
-<dd>
-
-<p>This specifies a file containing additional <b>OBJECT IDENTIFIERS</b>. Each line of the file should consist of the numerical form of the object identifier followed by white space then the short name followed by white space and finally the long name.</p>
-
-</dd>
-<dt id="oid_section"><b>oid_section</b></dt>
-<dd>
-
-<p>This specifies a section in the configuration file containing extra object identifiers. Each line should consist of the short name of the object identifier followed by <b>=</b> and the numerical form. The short and long names are the same when this option is used.</p>
-
-</dd>
-<dt id="new_certs_dir"><b>new_certs_dir</b></dt>
-<dd>
-
-<p>The same as the <b>-outdir</b> command line option. It specifies the directory where new certificates will be placed. Mandatory.</p>
-
-</dd>
-<dt id="certificate"><b>certificate</b></dt>
-<dd>
-
-<p>The same as <b>-cert</b>. It gives the file containing the CA certificate. Mandatory.</p>
-
-</dd>
-<dt id="private_key"><b>private_key</b></dt>
-<dd>
-
-<p>Same as the <b>-keyfile</b> option. The file containing the CA private key. Mandatory.</p>
-
-</dd>
-<dt id="RANDFILE"><b>RANDFILE</b></dt>
-<dd>
-
-<p>At startup the specified file is loaded into the random number generator, and at exit 256 bytes will be written to it.</p>
-
-</dd>
-<dt id="default_days"><b>default_days</b></dt>
-<dd>
-
-<p>The same as the <b>-days</b> option. The number of days to certify a certificate for.</p>
-
-</dd>
-<dt id="default_startdate"><b>default_startdate</b></dt>
-<dd>
-
-<p>The same as the <b>-startdate</b> option. The start date to certify a certificate for. If not set the current time is used.</p>
-
-</dd>
-<dt id="default_enddate"><b>default_enddate</b></dt>
-<dd>
-
-<p>The same as the <b>-enddate</b> option. Either this option or <b>default_days</b> (or the command line equivalents) must be present.</p>
-
-</dd>
-<dt id="default_crl_hours-default_crl_days"><b>default_crl_hours default_crl_days</b></dt>
-<dd>
-
-<p>The same as the <b>-crlhours</b> and the <b>-crldays</b> options. These will only be used if neither command line option is present. At least one of these must be present to generate a CRL.</p>
-
-</dd>
-<dt id="default_md"><b>default_md</b></dt>
-<dd>
-
-<p>The same as the <b>-md</b> option. Mandatory except where the signing algorithm does not require a digest (i.e. Ed25519 and Ed448).</p>
-
-</dd>
-<dt id="database"><b>database</b></dt>
-<dd>
-
-<p>The text database file to use. Mandatory. This file must be present though initially it will be empty.</p>
-
-</dd>
-<dt id="unique_subject"><b>unique_subject</b></dt>
-<dd>
-
-<p>If the value <b>yes</b> is given, the valid certificate entries in the database must have unique subjects. if the value <b>no</b> is given, several valid certificate entries may have the exact same subject. The default value is <b>yes</b>, to be compatible with older (pre 0.9.8) versions of OpenSSL. However, to make CA certificate roll-over easier, it&#39;s recommended to use the value <b>no</b>, especially if combined with the <b>-selfsign</b> command line option.</p>
-
-<p>Note that it is valid in some circumstances for certificates to be created without any subject. In the case where there are multiple certificates without subjects this does not count as a duplicate.</p>
-
-</dd>
-<dt id="serial"><b>serial</b></dt>
-<dd>
-
-<p>A text file containing the next serial number to use in hex. Mandatory. This file must be present and contain a valid serial number.</p>
-
-</dd>
-<dt id="crlnumber"><b>crlnumber</b></dt>
-<dd>
-
-<p>A text file containing the next CRL number to use in hex. The crl number will be inserted in the CRLs only if this file exists. If this file is present, it must contain a valid CRL number.</p>
-
-</dd>
-<dt id="x509_extensions"><b>x509_extensions</b></dt>
-<dd>
-
-<p>The same as <b>-extensions</b>.</p>
-
-</dd>
-<dt id="crl_extensions"><b>crl_extensions</b></dt>
-<dd>
-
-<p>The same as <b>-crlexts</b>.</p>
-
-</dd>
-<dt id="preserve"><b>preserve</b></dt>
-<dd>
-
-<p>The same as <b>-preserveDN</b></p>
-
-</dd>
-<dt id="email_in_dn"><b>email_in_dn</b></dt>
-<dd>
-
-<p>The same as <b>-noemailDN</b>. If you want the EMAIL field to be removed from the DN of the certificate simply set this to &#39;no&#39;. If not present the default is to allow for the EMAIL filed in the certificate&#39;s DN.</p>
-
-</dd>
-<dt id="msie_hack1"><b>msie_hack</b></dt>
-<dd>
-
-<p>The same as <b>-msie_hack</b></p>
-
-</dd>
-<dt id="policy"><b>policy</b></dt>
-<dd>
-
-<p>The same as <b>-policy</b>. Mandatory. See the <b>POLICY FORMAT</b> section for more information.</p>
-
-</dd>
-<dt id="name_opt-cert_opt"><b>name_opt</b>, <b>cert_opt</b></dt>
-<dd>
-
-<p>These options allow the format used to display the certificate details when asking the user to confirm signing. All the options supported by the <b>x509</b> utilities <b>-nameopt</b> and <b>-certopt</b> switches can be used here, except the <b>no_signame</b> and <b>no_sigdump</b> are permanently set and cannot be disabled (this is because the certificate signature cannot be displayed because the certificate has not been signed at this point).</p>
-
-<p>For convenience the values <b>ca_default</b> are accepted by both to produce a reasonable output.</p>
-
-<p>If neither option is present the format used in earlier versions of OpenSSL is used. Use of the old format is <b>strongly</b> discouraged because it only displays fields mentioned in the <b>policy</b> section, mishandles multicharacter string types and does not display extensions.</p>
-
-</dd>
-<dt id="copy_extensions"><b>copy_extensions</b></dt>
-<dd>
-
-<p>Determines how extensions in certificate requests should be handled. If set to <b>none</b> or this option is not present then extensions are ignored and not copied to the certificate. If set to <b>copy</b> then any extensions present in the request that are not already present are copied to the certificate. If set to <b>copyall</b> then all extensions in the request are copied to the certificate: if the extension is already present in the certificate it is deleted first. See the <b>WARNINGS</b> section before using this option.</p>
-
-<p>The main use of this option is to allow a certificate request to supply values for certain extensions such as subjectAltName.</p>
-
-</dd>
-</dl>
-
-<h1 id="POLICY-FORMAT">POLICY FORMAT</h1>
-
-<p>The policy section consists of a set of variables corresponding to certificate DN fields. If the value is &quot;match&quot; then the field value must match the same field in the CA certificate. If the value is &quot;supplied&quot; then it must be present. If the value is &quot;optional&quot; then it may be present. Any fields not mentioned in the policy section are silently deleted, unless the <b>-preserveDN</b> option is set but this can be regarded more of a quirk than intended behaviour.</p>
-
-<h1 id="SPKAC-FORMAT">SPKAC FORMAT</h1>
-
-<p>The input to the <b>-spkac</b> command line option is a Netscape signed public key and challenge. This will usually come from the <b>KEYGEN</b> tag in an HTML form to create a new private key. It is however possible to create SPKACs using the <b>spkac</b> utility.</p>
-
-<p>The file should contain the variable SPKAC set to the value of the SPKAC and also the required DN components as name value pairs. If you need to include the same component twice then it can be preceded by a number and a &#39;.&#39;.</p>
-
-<p>When processing SPKAC format, the output is DER if the <b>-out</b> flag is used, but PEM format if sending to stdout or the <b>-outdir</b> flag is used.</p>
-
-<h1 id="EXAMPLES">EXAMPLES</h1>
-
-<p>Note: these examples assume that the <b>ca</b> directory structure is already set up and the relevant files already exist. This usually involves creating a CA certificate and private key with <b>req</b>, a serial number file and an empty index file and placing them in the relevant directories.</p>
-
-<p>To use the sample configuration file below the directories demoCA, demoCA/private and demoCA/newcerts would be created. The CA certificate would be copied to demoCA/cacert.pem and its private key to demoCA/private/cakey.pem. A file demoCA/serial would be created containing for example &quot;01&quot; and the empty index file demoCA/index.txt.</p>
-
-<p>Sign a certificate request:</p>
-
-<pre><code>openssl ca -in req.pem -out newcert.pem</code></pre>
-
-<p>Sign a certificate request, using CA extensions:</p>
-
-<pre><code>openssl ca -in req.pem -extensions v3_ca -out newcert.pem</code></pre>
-
-<p>Generate a CRL</p>
-
-<pre><code>openssl ca -gencrl -out crl.pem</code></pre>
-
-<p>Sign several requests:</p>
-
-<pre><code>openssl ca -infiles req1.pem req2.pem req3.pem</code></pre>
-
-<p>Certify a Netscape SPKAC:</p>
-
-<pre><code>openssl ca -spkac spkac.txt</code></pre>
-
-<p>A sample SPKAC file (the SPKAC line has been truncated for clarity):</p>
-
-<pre><code>SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5
-CN=Steve Test
-emailAddress=steve@openssl.org
-0.OU=OpenSSL Group
-1.OU=Another Group</code></pre>
-
-<p>A sample configuration file with the relevant sections for <b>ca</b>:</p>
-
-<pre><code>[ ca ]
-default_ca      = CA_default            # The default ca section
-
-[ CA_default ]
-
-dir            = ./demoCA              # top dir
-database       = $dir/index.txt        # index file.
-new_certs_dir  = $dir/newcerts         # new certs dir
-
-certificate    = $dir/cacert.pem       # The CA cert
-serial         = $dir/serial           # serial no file
-#rand_serial    = yes                  # for random serial#&#39;s
-private_key    = $dir/private/cakey.pem# CA private key
-RANDFILE       = $dir/private/.rand    # random number file
-
-default_days   = 365                   # how long to certify for
-default_crl_days= 30                   # how long before next CRL
-default_md     = md5                   # md to use
-
-policy         = policy_any            # default policy
-email_in_dn    = no                    # Don&#39;t add the email into cert DN
-
-name_opt       = ca_default            # Subject name display option
-cert_opt       = ca_default            # Certificate display option
-copy_extensions = none                 # Don&#39;t copy extensions from request
-
-[ policy_any ]
-countryName            = supplied
-stateOrProvinceName    = optional
-organizationName       = optional
-organizationalUnitName = optional
-commonName             = supplied
-emailAddress           = optional</code></pre>
-
-<h1 id="FILES">FILES</h1>
-
-<p>Note: the location of all files can change either by compile time options, configuration file entries, environment variables or command line options. The values below reflect the default values.</p>
-
-<pre><code>/usr/local/ssl/lib/openssl.cnf - master configuration file
-./demoCA                       - main CA directory
-./demoCA/cacert.pem            - CA certificate
-./demoCA/private/cakey.pem     - CA private key
-./demoCA/serial                - CA serial number file
-./demoCA/serial.old            - CA serial number backup file
-./demoCA/index.txt             - CA text database file
-./demoCA/index.txt.old         - CA text database backup file
-./demoCA/certs                 - certificate output file
-./demoCA/.rnd                  - CA random seed information</code></pre>
-
-<h1 id="RESTRICTIONS">RESTRICTIONS</h1>
-
-<p>The text database index file is a critical part of the process and if corrupted it can be difficult to fix. It is theoretically possible to rebuild the index file from all the issued certificates and a current CRL: however there is no option to do this.</p>
-
-<p>V2 CRL features like delta CRLs are not currently supported.</p>
-
-<p>Although several requests can be input and handled at once it is only possible to include one SPKAC or self-signed certificate.</p>
-
-<h1 id="BUGS">BUGS</h1>
-
-<p>The use of an in-memory text database can cause problems when large numbers of certificates are present because, as the name implies the database has to be kept in memory.</p>
-
-<p>The <b>ca</b> command really needs rewriting or the required functionality exposed at either a command or interface level so a more friendly utility (perl script or GUI) can handle things properly. The script <b>CA.pl</b> helps a little but not very much.</p>
-
-<p>Any fields in a request that are not present in a policy are silently deleted. This does not happen if the <b>-preserveDN</b> option is used. To enforce the absence of the EMAIL field within the DN, as suggested by RFCs, regardless the contents of the request&#39; subject the <b>-noemailDN</b> option can be used. The behaviour should be more friendly and configurable.</p>
-
-<p>Canceling some commands by refusing to certify a certificate can create an empty file.</p>
-
-<h1 id="WARNINGS">WARNINGS</h1>
-
-<p>The <b>ca</b> command is quirky and at times downright unfriendly.</p>
-
-<p>The <b>ca</b> utility was originally meant as an example of how to do things in a CA. It was not supposed to be used as a full blown CA itself: nevertheless some people are using it for this purpose.</p>
-
-<p>The <b>ca</b> command is effectively a single user command: no locking is done on the various files and attempts to run more than one <b>ca</b> command on the same database can have unpredictable results.</p>
-
-<p>The <b>copy_extensions</b> option should be used with caution. If care is not taken then it can be a security risk. For example if a certificate request contains a basicConstraints extension with CA:TRUE and the <b>copy_extensions</b> value is set to <b>copyall</b> and the user does not spot this when the certificate is displayed then this will hand the requester a valid CA certificate.</p>
-
-<p>This situation can be avoided by setting <b>copy_extensions</b> to <b>copy</b> and including basicConstraints with CA:FALSE in the configuration file. Then if the request contains a basicConstraints extension it will be ignored.</p>
-
-<p>It is advisable to also include values for other extensions such as <b>keyUsage</b> to prevent a request supplying its own values.</p>
-
-<p>Additional restrictions can be placed on the CA certificate itself. For example if the CA certificate has:</p>
-
-<pre><code>basicConstraints = CA:TRUE, pathlen:0</code></pre>
-
-<p>then even if a certificate is issued with CA:TRUE it will not be valid.</p>
-
-<h1 id="HISTORY">HISTORY</h1>
-
-<p>Since OpenSSL 1.1.1, the program follows RFC5280. Specifically, certificate validity period (specified by any of <b>-startdate</b>, <b>-enddate</b> and <b>-days</b>) will be encoded as UTCTime if the dates are earlier than year 2049 (included), and as GeneralizedTime if the dates are in year 2050 or later.</p>
-
-<h1 id="SEE-ALSO">SEE ALSO</h1>
-
-<p><a href="../man1/req.html">req(1)</a>, <a href="../man1/spkac.html">spkac(1)</a>, <a href="../man1/x509.html">x509(1)</a>, <a href="../man1/CA.pl.html">CA.pl(1)</a>, <a href="../man5/config.html">config(5)</a>, <a href="../man5/x509v3_config.html">x509v3_config(5)</a></p>
-
-<h1 id="COPYRIGHT">COPYRIGHT</h1>
-
-<p>Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.</p>
-
-<p>Licensed under the OpenSSL license (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
-
-
-</body>
-
-</html>
-
-
--- a/deps/openssl/android/arm64-v8a/usr/local/share/doc/openssl/html/man1/ciphers.html
+++ b/deps/openssl/android/arm64-v8a/usr/local/share/doc/openssl/html/man1/ciphers.html
@ -1,811 +0,0 @@
-<?xml version="1.0" ?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-<title>ciphers</title>
-<meta http-equiv="content-type" content="text/html; charset=utf-8" />
-<link rev="made" href="mailto:root@localhost" />
-</head>
-
-<body>
-
-
-
-<ul id="index">
-  <li><a href="#NAME">NAME</a></li>
-  <li><a href="#SYNOPSIS">SYNOPSIS</a></li>
-  <li><a href="#DESCRIPTION">DESCRIPTION</a></li>
-  <li><a href="#OPTIONS">OPTIONS</a></li>
-  <li><a href="#CIPHER-LIST-FORMAT">CIPHER LIST FORMAT</a></li>
-  <li><a href="#CIPHER-STRINGS">CIPHER STRINGS</a></li>
-  <li><a href="#CIPHER-SUITE-NAMES">CIPHER SUITE NAMES</a>
-    <ul>
-      <li><a href="#SSL-v3.0-cipher-suites">SSL v3.0 cipher suites</a></li>
-      <li><a href="#TLS-v1.0-cipher-suites">TLS v1.0 cipher suites</a></li>
-      <li><a href="#AES-cipher-suites-from-RFC3268-extending-TLS-v1.0">AES cipher suites from RFC3268, extending TLS v1.0</a></li>
-      <li><a href="#Camellia-cipher-suites-from-RFC4132-extending-TLS-v1.0">Camellia cipher suites from RFC4132, extending TLS v1.0</a></li>
-      <li><a href="#SEED-cipher-suites-from-RFC4162-extending-TLS-v1.0">SEED cipher suites from RFC4162, extending TLS v1.0</a></li>
-      <li><a href="#GOST-cipher-suites-from-draft-chudov-cryptopro-cptls-extending-TLS-v1.0">GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0</a></li>
-      <li><a href="#Additional-Export-1024-and-other-cipher-suites">Additional Export 1024 and other cipher suites</a></li>
-      <li><a href="#Elliptic-curve-cipher-suites">Elliptic curve cipher suites.</a></li>
-      <li><a href="#TLS-v1.2-cipher-suites">TLS v1.2 cipher suites</a></li>
-      <li><a href="#ARIA-cipher-suites-from-RFC6209-extending-TLS-v1.2">ARIA cipher suites from RFC6209, extending TLS v1.2</a></li>
-      <li><a href="#Camellia-HMAC-Based-cipher-suites-from-RFC6367-extending-TLS-v1.2">Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2</a></li>
-      <li><a href="#Pre-shared-keying-PSK-cipher-suites">Pre-shared keying (PSK) cipher suites</a></li>
-      <li><a href="#ChaCha20-Poly1305-cipher-suites-extending-TLS-v1.2">ChaCha20-Poly1305 cipher suites, extending TLS v1.2</a></li>
-      <li><a href="#TLS-v1.3-cipher-suites">TLS v1.3 cipher suites</a></li>
-      <li><a href="#Older-names-used-by-OpenSSL">Older names used by OpenSSL</a></li>
-    </ul>
-  </li>
-  <li><a href="#NOTES">NOTES</a></li>
-  <li><a href="#EXAMPLES">EXAMPLES</a></li>
-  <li><a href="#SEE-ALSO">SEE ALSO</a></li>
-  <li><a href="#HISTORY">HISTORY</a></li>
-  <li><a href="#COPYRIGHT">COPYRIGHT</a></li>
-</ul>
-
-<h1 id="NAME">NAME</h1>
-
-<p>openssl-ciphers, ciphers - SSL cipher display and cipher list tool</p>
-
-<h1 id="SYNOPSIS">SYNOPSIS</h1>
-
-<p><b>openssl</b> <b>ciphers</b> [<b>-help</b>] [<b>-s</b>] [<b>-v</b>] [<b>-V</b>] [<b>-ssl3</b>] [<b>-tls1</b>] [<b>-tls1_1</b>] [<b>-tls1_2</b>] [<b>-tls1_3</b>] [<b>-s</b>] [<b>-psk</b>] [<b>-srp</b>] [<b>-stdname</b>] [<b>-convert name</b>] [<b>-ciphersuites val</b>] [<b>cipherlist</b>]</p>
-
-<h1 id="DESCRIPTION">DESCRIPTION</h1>
-
-<p>The <b>ciphers</b> command converts textual OpenSSL cipher lists into ordered SSL cipher preference lists. It can be used as a test tool to determine the appropriate cipherlist.</p>
-
-<h1 id="OPTIONS">OPTIONS</h1>
-
-<dl>
-
-<dt id="help"><b>-help</b></dt>
-<dd>
-
-<p>Print a usage message.</p>
-
-</dd>
-<dt id="s"><b>-s</b></dt>
-<dd>
-
-<p>Only list supported ciphers: those consistent with the security level, and minimum and maximum protocol version. This is closer to the actual cipher list an application will support.</p>
-
-<p>PSK and SRP ciphers are not enabled by default: they require <b>-psk</b> or <b>-srp</b> to enable them.</p>
-
-<p>It also does not change the default list of supported signature algorithms.</p>
-
-<p>On a server the list of supported ciphers might also exclude other ciphers depending on the configured certificates and presence of DH parameters.</p>
-
-<p>If this option is not used then all ciphers that match the cipherlist will be listed.</p>
-
-</dd>
-<dt id="psk"><b>-psk</b></dt>
-<dd>
-
-<p>When combined with <b>-s</b> includes cipher suites which require PSK.</p>
-
-</dd>
-<dt id="srp"><b>-srp</b></dt>
-<dd>
-
-<p>When combined with <b>-s</b> includes cipher suites which require SRP.</p>
-
-</dd>
-<dt id="v"><b>-v</b></dt>
-<dd>
-
-<p>Verbose output: For each cipher suite, list details as provided by <a href="../man3/SSL_CIPHER_description.html">SSL_CIPHER_description(3)</a>.</p>
-
-</dd>
-<dt id="V"><b>-V</b></dt>
-<dd>
-
-<p>Like <b>-v</b>, but include the official cipher suite values in hex.</p>
-
-</dd>
-<dt id="tls1_3--tls1_2--tls1_1--tls1--ssl3"><b>-tls1_3</b>, <b>-tls1_2</b>, <b>-tls1_1</b>, <b>-tls1</b>, <b>-ssl3</b></dt>
-<dd>
-
-<p>In combination with the <b>-s</b> option, list the ciphers which could be used if the specified protocol were negotiated. Note that not all protocols and flags may be available, depending on how OpenSSL was built.</p>
-
-</dd>
-<dt id="stdname"><b>-stdname</b></dt>
-<dd>
-
-<p>Precede each cipher suite by its standard name.</p>
-
-</dd>
-<dt id="convert-name"><b>-convert name</b></dt>
-<dd>
-
-<p>Convert a standard cipher <b>name</b> to its OpenSSL name.</p>
-
-</dd>
-<dt id="ciphersuites-val"><b>-ciphersuites val</b></dt>
-<dd>
-
-<p>Sets the list of TLSv1.3 ciphersuites. This list will be combined with any TLSv1.2 and below ciphersuites that have been configured. The format for this list is a simple colon (&quot;:&quot;) separated list of TLSv1.3 ciphersuite names. By default this value is:</p>
-
-<pre><code>TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256</code></pre>
-
-</dd>
-<dt id="cipherlist"><b>cipherlist</b></dt>
-<dd>
-
-<p>A cipher list of TLSv1.2 and below ciphersuites to convert to a cipher preference list. This list will be combined with any TLSv1.3 ciphersuites that have been configured. If it is not included then the default cipher list will be used. The format is described below.</p>
-
-</dd>
-</dl>
-
-<h1 id="CIPHER-LIST-FORMAT">CIPHER LIST FORMAT</h1>
-
-<p>The cipher list consists of one or more <i>cipher strings</i> separated by colons. Commas or spaces are also acceptable separators but colons are normally used.</p>
-
-<p>The actual cipher string can take several different forms.</p>
-
-<p>It can consist of a single cipher suite such as <b>RC4-SHA</b>.</p>
-
-<p>It can represent a list of cipher suites containing a certain algorithm, or cipher suites of a certain type. For example <b>SHA1</b> represents all ciphers suites using the digest algorithm SHA1 and <b>SSLv3</b> represents all SSL v3 algorithms.</p>
-
-<p>Lists of cipher suites can be combined in a single cipher string using the <b>+</b> character. This is used as a logical <b>and</b> operation. For example <b>SHA1+DES</b> represents all cipher suites containing the SHA1 <b>and</b> the DES algorithms.</p>
-
-<p>Each cipher string can be optionally preceded by the characters <b>!</b>, <b>-</b> or <b>+</b>.</p>
-
-<p>If <b>!</b> is used then the ciphers are permanently deleted from the list. The ciphers deleted can never reappear in the list even if they are explicitly stated.</p>
-
-<p>If <b>-</b> is used then the ciphers are deleted from the list, but some or all of the ciphers can be added again by later options.</p>
-
-<p>If <b>+</b> is used then the ciphers are moved to the end of the list. This option doesn&#39;t add any new ciphers it just moves matching existing ones.</p>
-
-<p>If none of these characters is present then the string is just interpreted as a list of ciphers to be appended to the current preference list. If the list includes any ciphers already present they will be ignored: that is they will not moved to the end of the list.</p>
-
-<p>The cipher string <b>@STRENGTH</b> can be used at any point to sort the current cipher list in order of encryption algorithm key length.</p>
-
-<p>The cipher string <b>@SECLEVEL=n</b> can be used at any point to set the security level to <b>n</b>, which should be a number between zero and five, inclusive. See <a href="/../man3/SSL_CTX_set_security_level.html">SSL_CTX_set_security_level</a> for a description of what each level means.</p>
-
-<p>The cipher list can be prefixed with the <b>DEFAULT</b> keyword, which enables the default cipher list as defined below. Unlike cipher strings, this prefix may not be combined with other strings using <b>+</b> character. For example, <b>DEFAULT+DES</b> is not valid.</p>
-
-<p>The content of the default list is determined at compile time and normally corresponds to <b>ALL:!COMPLEMENTOFDEFAULT:!eNULL</b>.</p>
-
-<h1 id="CIPHER-STRINGS">CIPHER STRINGS</h1>
-
-<p>The following is a list of all permitted cipher strings and their meanings.</p>
-
-<dl>
-
-<dt id="COMPLEMENTOFDEFAULT"><b>COMPLEMENTOFDEFAULT</b></dt>
-<dd>
-
-<p>The ciphers included in <b>ALL</b>, but not enabled by default. Currently this includes all RC4 and anonymous ciphers. Note that this rule does not cover <b>eNULL</b>, which is not included by <b>ALL</b> (use <b>COMPLEMENTOFALL</b> if necessary). Note that RC4 based cipher suites are not built into OpenSSL by default (see the enable-weak-ssl-ciphers option to Configure).</p>
-
-</dd>
-<dt id="ALL"><b>ALL</b></dt>
-<dd>
-
-<p>All cipher suites except the <b>eNULL</b> ciphers (which must be explicitly enabled if needed). As of OpenSSL 1.0.0, the <b>ALL</b> cipher suites are sensibly ordered by default.</p>
-
-</dd>
-<dt id="COMPLEMENTOFALL"><b>COMPLEMENTOFALL</b></dt>
-<dd>
-
-<p>The cipher suites not enabled by <b>ALL</b>, currently <b>eNULL</b>.</p>
-
-</dd>
-<dt id="HIGH"><b>HIGH</b></dt>
-<dd>
-
-<p>&quot;High&quot; encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys.</p>
-
-</dd>
-<dt id="MEDIUM"><b>MEDIUM</b></dt>
-<dd>
-
-<p>&quot;Medium&quot; encryption cipher suites, currently some of those using 128 bit encryption.</p>
-
-</dd>
-<dt id="LOW"><b>LOW</b></dt>
-<dd>
-
-<p>&quot;Low&quot; encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites. All these cipher suites have been removed as of OpenSSL 1.1.0.</p>
-
-</dd>
-<dt id="eNULL-NULL"><b>eNULL</b>, <b>NULL</b></dt>
-<dd>
-
-<p>The &quot;NULL&quot; ciphers that is those offering no encryption. Because these offer no encryption at all and are a security risk they are not enabled via either the <b>DEFAULT</b> or <b>ALL</b> cipher strings. Be careful when building cipherlists out of lower-level primitives such as <b>kRSA</b> or <b>aECDSA</b> as these do overlap with the <b>eNULL</b> ciphers. When in doubt, include <b>!eNULL</b> in your cipherlist.</p>
-
-</dd>
-<dt id="aNULL"><b>aNULL</b></dt>
-<dd>
-
-<p>The cipher suites offering no authentication. This is currently the anonymous DH algorithms and anonymous ECDH algorithms. These cipher suites are vulnerable to &quot;man in the middle&quot; attacks and so their use is discouraged. These are excluded from the <b>DEFAULT</b> ciphers, but included in the <b>ALL</b> ciphers. Be careful when building cipherlists out of lower-level primitives such as <b>kDHE</b> or <b>AES</b> as these do overlap with the <b>aNULL</b> ciphers. When in doubt, include <b>!aNULL</b> in your cipherlist.</p>
-
-</dd>
-<dt id="kRSA-aRSA-RSA"><b>kRSA</b>, <b>aRSA</b>, <b>RSA</b></dt>
-<dd>
-
-<p>Cipher suites using RSA key exchange or authentication. <b>RSA</b> is an alias for <b>kRSA</b>.</p>
-
-</dd>
-<dt id="kDHr-kDHd-kDH"><b>kDHr</b>, <b>kDHd</b>, <b>kDH</b></dt>
-<dd>
-
-<p>Cipher suites using static DH key agreement and DH certificates signed by CAs with RSA and DSS keys or either respectively. All these cipher suites have been removed in OpenSSL 1.1.0.</p>
-
-</dd>
-<dt id="kDHE-kEDH-DH"><b>kDHE</b>, <b>kEDH</b>, <b>DH</b></dt>
-<dd>
-
-<p>Cipher suites using ephemeral DH key agreement, including anonymous cipher suites.</p>
-
-</dd>
-<dt id="DHE-EDH"><b>DHE</b>, <b>EDH</b></dt>
-<dd>
-
-<p>Cipher suites using authenticated ephemeral DH key agreement.</p>
-
-</dd>
-<dt id="ADH"><b>ADH</b></dt>
-<dd>
-
-<p>Anonymous DH cipher suites, note that this does not include anonymous Elliptic Curve DH (ECDH) cipher suites.</p>
-
-</dd>
-<dt id="kEECDH-kECDHE-ECDH"><b>kEECDH</b>, <b>kECDHE</b>, <b>ECDH</b></dt>
-<dd>
-
-<p>Cipher suites using ephemeral ECDH key agreement, including anonymous cipher suites.</p>
-
-</dd>
-<dt id="ECDHE-EECDH"><b>ECDHE</b>, <b>EECDH</b></dt>
-<dd>
-
-<p>Cipher suites using authenticated ephemeral ECDH key agreement.</p>
-
-</dd>
-<dt id="AECDH"><b>AECDH</b></dt>
-<dd>
-
-<p>Anonymous Elliptic Curve Diffie-Hellman cipher suites.</p>
-
-</dd>
-<dt id="aDSS-DSS"><b>aDSS</b>, <b>DSS</b></dt>
-<dd>
-
-<p>Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.</p>
-
-</dd>
-<dt id="aDH"><b>aDH</b></dt>
-<dd>
-
-<p>Cipher suites effectively using DH authentication, i.e. the certificates carry DH keys. All these cipher suites have been removed in OpenSSL 1.1.0.</p>
-
-</dd>
-<dt id="aECDSA-ECDSA"><b>aECDSA</b>, <b>ECDSA</b></dt>
-<dd>
-
-<p>Cipher suites using ECDSA authentication, i.e. the certificates carry ECDSA keys.</p>
-
-</dd>
-<dt id="TLSv1.2-TLSv1.0-SSLv3"><b>TLSv1.2</b>, <b>TLSv1.0</b>, <b>SSLv3</b></dt>
-<dd>
-
-<p>Lists cipher suites which are only supported in at least TLS v1.2, TLS v1.0 or SSL v3.0 respectively. Note: there are no cipher suites specific to TLS v1.1. Since this is only the minimum version, if, for example, TLSv1.0 is negotiated then both TLSv1.0 and SSLv3.0 cipher suites are available.</p>
-
-<p>Note: these cipher strings <b>do not</b> change the negotiated version of SSL or TLS, they only affect the list of available cipher suites.</p>
-
-</dd>
-<dt id="AES128-AES256-AES"><b>AES128</b>, <b>AES256</b>, <b>AES</b></dt>
-<dd>
-
-<p>cipher suites using 128 bit AES, 256 bit AES or either 128 or 256 bit AES.</p>
-
-</dd>
-<dt id="AESGCM"><b>AESGCM</b></dt>
-<dd>
-
-<p>AES in Galois Counter Mode (GCM): these cipher suites are only supported in TLS v1.2.</p>
-
-</dd>
-<dt id="AESCCM-AESCCM8"><b>AESCCM</b>, <b>AESCCM8</b></dt>
-<dd>
-
-<p>AES in Cipher Block Chaining - Message Authentication Mode (CCM): these cipher suites are only supported in TLS v1.2. <b>AESCCM</b> references CCM cipher suites using both 16 and 8 octet Integrity Check Value (ICV) while <b>AESCCM8</b> only references 8 octet ICV.</p>
-
-</dd>
-<dt id="ARIA128-ARIA256-ARIA"><b>ARIA128</b>, <b>ARIA256</b>, <b>ARIA</b></dt>
-<dd>
-
-<p>Cipher suites using 128 bit ARIA, 256 bit ARIA or either 128 or 256 bit ARIA.</p>
-
-</dd>
-<dt id="CAMELLIA128-CAMELLIA256-CAMELLIA"><b>CAMELLIA128</b>, <b>CAMELLIA256</b>, <b>CAMELLIA</b></dt>
-<dd>
-
-<p>Cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit CAMELLIA.</p>
-
-</dd>
-<dt id="CHACHA20"><b>CHACHA20</b></dt>
-<dd>
-
-<p>Cipher suites using ChaCha20.</p>
-
-</dd>
-<dt id="DES"><b>3DES</b></dt>
-<dd>
-
-<p>Cipher suites using triple DES.</p>
-
-</dd>
-<dt id="DES1"><b>DES</b></dt>
-<dd>
-
-<p>Cipher suites using DES (not triple DES). All these cipher suites have been removed in OpenSSL 1.1.0.</p>
-
-</dd>
-<dt id="RC4"><b>RC4</b></dt>
-<dd>
-
-<p>Cipher suites using RC4.</p>
-
-</dd>
-<dt id="RC2"><b>RC2</b></dt>
-<dd>
-
-<p>Cipher suites using RC2.</p>
-
-</dd>
-<dt id="IDEA"><b>IDEA</b></dt>
-<dd>
-
-<p>Cipher suites using IDEA.</p>
-
-</dd>
-<dt id="SEED"><b>SEED</b></dt>
-<dd>
-
-<p>Cipher suites using SEED.</p>
-
-</dd>
-<dt id="MD5"><b>MD5</b></dt>
-<dd>
-
-<p>Cipher suites using MD5.</p>
-
-</dd>
-<dt id="SHA1-SHA"><b>SHA1</b>, <b>SHA</b></dt>
-<dd>
-
-<p>Cipher suites using SHA1.</p>
-
-</dd>
-<dt id="SHA256-SHA384"><b>SHA256</b>, <b>SHA384</b></dt>
-<dd>
-
-<p>Cipher suites using SHA256 or SHA384.</p>
-
-</dd>
-<dt id="aGOST"><b>aGOST</b></dt>
-<dd>
-
-<p>Cipher suites using GOST R 34.10 (either 2001 or 94) for authentication (needs an engine supporting GOST algorithms).</p>
-
-</dd>
-<dt id="aGOST01"><b>aGOST01</b></dt>
-<dd>
-
-<p>Cipher suites using GOST R 34.10-2001 authentication.</p>
-
-</dd>
-<dt id="kGOST"><b>kGOST</b></dt>
-<dd>
-
-<p>Cipher suites, using VKO 34.10 key exchange, specified in the RFC 4357.</p>
-
-</dd>
-<dt id="GOST94"><b>GOST94</b></dt>
-<dd>
-
-<p>Cipher suites, using HMAC based on GOST R 34.11-94.</p>
-
-</dd>
-<dt id="GOST89MAC"><b>GOST89MAC</b></dt>
-<dd>
-
-<p>Cipher suites using GOST 28147-89 MAC <b>instead of</b> HMAC.</p>
-
-</dd>
-<dt id="PSK"><b>PSK</b></dt>
-<dd>
-
-<p>All cipher suites using pre-shared keys (PSK).</p>
-
-</dd>
-<dt id="kPSK-kECDHEPSK-kDHEPSK-kRSAPSK"><b>kPSK</b>, <b>kECDHEPSK</b>, <b>kDHEPSK</b>, <b>kRSAPSK</b></dt>
-<dd>
-
-<p>Cipher suites using PSK key exchange, ECDHE_PSK, DHE_PSK or RSA_PSK.</p>
-
-</dd>
-<dt id="aPSK"><b>aPSK</b></dt>
-<dd>
-
-<p>Cipher suites using PSK authentication (currently all PSK modes apart from RSA_PSK).</p>
-
-</dd>
-<dt id="SUITEB128-SUITEB128ONLY-SUITEB192"><b>SUITEB128</b>, <b>SUITEB128ONLY</b>, <b>SUITEB192</b></dt>
-<dd>
-
-<p>Enables suite B mode of operation using 128 (permitting 192 bit mode by peer) 128 bit (not permitting 192 bit by peer) or 192 bit level of security respectively. If used these cipherstrings should appear first in the cipher list and anything after them is ignored. Setting Suite B mode has additional consequences required to comply with RFC6460. In particular the supported signature algorithms is reduced to support only ECDSA and SHA256 or SHA384, only the elliptic curves P-256 and P-384 can be used and only the two suite B compliant cipher suites (ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-ECDSA-AES256-GCM-SHA384) are permissible.</p>
-
-</dd>
-</dl>
-
-<h1 id="CIPHER-SUITE-NAMES">CIPHER SUITE NAMES</h1>
-
-<p>The following lists give the SSL or TLS cipher suites names from the relevant specification and their OpenSSL equivalents. It should be noted, that several cipher suite names do not include the authentication used, e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.</p>
-
-<h2 id="SSL-v3.0-cipher-suites">SSL v3.0 cipher suites</h2>
-
-<pre><code>SSL_RSA_WITH_NULL_MD5                   NULL-MD5
-SSL_RSA_WITH_NULL_SHA                   NULL-SHA
-SSL_RSA_WITH_RC4_128_MD5                RC4-MD5
-SSL_RSA_WITH_RC4_128_SHA                RC4-SHA
-SSL_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
-SSL_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
-
-SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA        DH-DSS-DES-CBC3-SHA
-SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA        DH-RSA-DES-CBC3-SHA
-SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA       DHE-DSS-DES-CBC3-SHA
-SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA       DHE-RSA-DES-CBC3-SHA
-
-SSL_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
-SSL_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
-
-SSL_FORTEZZA_KEA_WITH_NULL_SHA          Not implemented.
-SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA  Not implemented.
-SSL_FORTEZZA_KEA_WITH_RC4_128_SHA       Not implemented.</code></pre>
-
-<h2 id="TLS-v1.0-cipher-suites">TLS v1.0 cipher suites</h2>
-
-<pre><code>TLS_RSA_WITH_NULL_MD5                   NULL-MD5
-TLS_RSA_WITH_NULL_SHA                   NULL-SHA
-TLS_RSA_WITH_RC4_128_MD5                RC4-MD5
-TLS_RSA_WITH_RC4_128_SHA                RC4-SHA
-TLS_RSA_WITH_IDEA_CBC_SHA               IDEA-CBC-SHA
-TLS_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
-
-TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA        Not implemented.
-TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA        Not implemented.
-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA       DHE-DSS-DES-CBC3-SHA
-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       DHE-RSA-DES-CBC3-SHA
-
-TLS_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
-TLS_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA</code></pre>
-
-<h2 id="AES-cipher-suites-from-RFC3268-extending-TLS-v1.0">AES cipher suites from RFC3268, extending TLS v1.0</h2>
-
-<pre><code>TLS_RSA_WITH_AES_128_CBC_SHA            AES128-SHA
-TLS_RSA_WITH_AES_256_CBC_SHA            AES256-SHA
-
-TLS_DH_DSS_WITH_AES_128_CBC_SHA         DH-DSS-AES128-SHA
-TLS_DH_DSS_WITH_AES_256_CBC_SHA         DH-DSS-AES256-SHA
-TLS_DH_RSA_WITH_AES_128_CBC_SHA         DH-RSA-AES128-SHA
-TLS_DH_RSA_WITH_AES_256_CBC_SHA         DH-RSA-AES256-SHA
-
-TLS_DHE_DSS_WITH_AES_128_CBC_SHA        DHE-DSS-AES128-SHA
-TLS_DHE_DSS_WITH_AES_256_CBC_SHA        DHE-DSS-AES256-SHA
-TLS_DHE_RSA_WITH_AES_128_CBC_SHA        DHE-RSA-AES128-SHA
-TLS_DHE_RSA_WITH_AES_256_CBC_SHA        DHE-RSA-AES256-SHA
-
-TLS_DH_anon_WITH_AES_128_CBC_SHA        ADH-AES128-SHA
-TLS_DH_anon_WITH_AES_256_CBC_SHA        ADH-AES256-SHA</code></pre>
-
-<h2 id="Camellia-cipher-suites-from-RFC4132-extending-TLS-v1.0">Camellia cipher suites from RFC4132, extending TLS v1.0</h2>
-
-<pre><code>TLS_RSA_WITH_CAMELLIA_128_CBC_SHA      CAMELLIA128-SHA
-TLS_RSA_WITH_CAMELLIA_256_CBC_SHA      CAMELLIA256-SHA
-
-TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA   DH-DSS-CAMELLIA128-SHA
-TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA   DH-DSS-CAMELLIA256-SHA
-TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA   DH-RSA-CAMELLIA128-SHA
-TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA   DH-RSA-CAMELLIA256-SHA
-
-TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA  DHE-DSS-CAMELLIA128-SHA
-TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA  DHE-DSS-CAMELLIA256-SHA
-TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA  DHE-RSA-CAMELLIA128-SHA
-TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA  DHE-RSA-CAMELLIA256-SHA
-
-TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA  ADH-CAMELLIA128-SHA
-TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA  ADH-CAMELLIA256-SHA</code></pre>
-
-<h2 id="SEED-cipher-suites-from-RFC4162-extending-TLS-v1.0">SEED cipher suites from RFC4162, extending TLS v1.0</h2>
-
-<pre><code>TLS_RSA_WITH_SEED_CBC_SHA              SEED-SHA
-
-TLS_DH_DSS_WITH_SEED_CBC_SHA           DH-DSS-SEED-SHA
-TLS_DH_RSA_WITH_SEED_CBC_SHA           DH-RSA-SEED-SHA
-
-TLS_DHE_DSS_WITH_SEED_CBC_SHA          DHE-DSS-SEED-SHA
-TLS_DHE_RSA_WITH_SEED_CBC_SHA          DHE-RSA-SEED-SHA
-
-TLS_DH_anon_WITH_SEED_CBC_SHA          ADH-SEED-SHA</code></pre>
-
-<h2 id="GOST-cipher-suites-from-draft-chudov-cryptopro-cptls-extending-TLS-v1.0">GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0</h2>
-
-<p>Note: these ciphers require an engine which including GOST cryptographic algorithms, such as the <b>ccgost</b> engine, included in the OpenSSL distribution.</p>
-
-<pre><code>TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94-GOST89-GOST89
-TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001-GOST89-GOST89
-TLS_GOSTR341094_WITH_NULL_GOSTR3411 GOST94-NULL-GOST94
-TLS_GOSTR341001_WITH_NULL_GOSTR3411 GOST2001-NULL-GOST94</code></pre>
-
-<h2 id="Additional-Export-1024-and-other-cipher-suites">Additional Export 1024 and other cipher suites</h2>
-
-<p>Note: these ciphers can also be used in SSL v3.</p>
-
-<pre><code>TLS_DHE_DSS_WITH_RC4_128_SHA            DHE-DSS-RC4-SHA</code></pre>
-
-<h2 id="Elliptic-curve-cipher-suites">Elliptic curve cipher suites.</h2>
-
-<pre><code>TLS_ECDHE_RSA_WITH_NULL_SHA             ECDHE-RSA-NULL-SHA
-TLS_ECDHE_RSA_WITH_RC4_128_SHA          ECDHE-RSA-RC4-SHA
-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     ECDHE-RSA-DES-CBC3-SHA
-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      ECDHE-RSA-AES128-SHA
-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      ECDHE-RSA-AES256-SHA
-
-TLS_ECDHE_ECDSA_WITH_NULL_SHA           ECDHE-ECDSA-NULL-SHA
-TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        ECDHE-ECDSA-RC4-SHA
-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA   ECDHE-ECDSA-DES-CBC3-SHA
-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    ECDHE-ECDSA-AES128-SHA
-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    ECDHE-ECDSA-AES256-SHA
-
-TLS_ECDH_anon_WITH_NULL_SHA             AECDH-NULL-SHA
-TLS_ECDH_anon_WITH_RC4_128_SHA          AECDH-RC4-SHA
-TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA     AECDH-DES-CBC3-SHA
-TLS_ECDH_anon_WITH_AES_128_CBC_SHA      AECDH-AES128-SHA
-TLS_ECDH_anon_WITH_AES_256_CBC_SHA      AECDH-AES256-SHA</code></pre>
-
-<h2 id="TLS-v1.2-cipher-suites">TLS v1.2 cipher suites</h2>
-
-<pre><code>TLS_RSA_WITH_NULL_SHA256                  NULL-SHA256
-
-TLS_RSA_WITH_AES_128_CBC_SHA256           AES128-SHA256
-TLS_RSA_WITH_AES_256_CBC_SHA256           AES256-SHA256
-TLS_RSA_WITH_AES_128_GCM_SHA256           AES128-GCM-SHA256
-TLS_RSA_WITH_AES_256_GCM_SHA384           AES256-GCM-SHA384
-
-TLS_DH_RSA_WITH_AES_128_CBC_SHA256        DH-RSA-AES128-SHA256
-TLS_DH_RSA_WITH_AES_256_CBC_SHA256        DH-RSA-AES256-SHA256
-TLS_DH_RSA_WITH_AES_128_GCM_SHA256        DH-RSA-AES128-GCM-SHA256
-TLS_DH_RSA_WITH_AES_256_GCM_SHA384        DH-RSA-AES256-GCM-SHA384
-
-TLS_DH_DSS_WITH_AES_128_CBC_SHA256        DH-DSS-AES128-SHA256
-TLS_DH_DSS_WITH_AES_256_CBC_SHA256        DH-DSS-AES256-SHA256
-TLS_DH_DSS_WITH_AES_128_GCM_SHA256        DH-DSS-AES128-GCM-SHA256
-TLS_DH_DSS_WITH_AES_256_GCM_SHA384        DH-DSS-AES256-GCM-SHA384
-
-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256       DHE-RSA-AES128-SHA256
-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256       DHE-RSA-AES256-SHA256
-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256       DHE-RSA-AES128-GCM-SHA256
-TLS_DHE_RSA_WITH_AES_256_GCM_SHA384       DHE-RSA-AES256-GCM-SHA384
-
-TLS_DHE_DSS_WITH_AES_128_CBC_SHA256       DHE-DSS-AES128-SHA256
-TLS_DHE_DSS_WITH_AES_256_CBC_SHA256       DHE-DSS-AES256-SHA256
-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256       DHE-DSS-AES128-GCM-SHA256
-TLS_DHE_DSS_WITH_AES_256_GCM_SHA384       DHE-DSS-AES256-GCM-SHA384
-
-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256     ECDHE-RSA-AES128-SHA256
-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384     ECDHE-RSA-AES256-SHA384
-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256     ECDHE-RSA-AES128-GCM-SHA256
-TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384     ECDHE-RSA-AES256-GCM-SHA384
-
-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256   ECDHE-ECDSA-AES128-SHA256
-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384   ECDHE-ECDSA-AES256-SHA384
-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256   ECDHE-ECDSA-AES128-GCM-SHA256
-TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384   ECDHE-ECDSA-AES256-GCM-SHA384
-
-TLS_DH_anon_WITH_AES_128_CBC_SHA256       ADH-AES128-SHA256
-TLS_DH_anon_WITH_AES_256_CBC_SHA256       ADH-AES256-SHA256
-TLS_DH_anon_WITH_AES_128_GCM_SHA256       ADH-AES128-GCM-SHA256
-TLS_DH_anon_WITH_AES_256_GCM_SHA384       ADH-AES256-GCM-SHA384
-
-RSA_WITH_AES_128_CCM                      AES128-CCM
-RSA_WITH_AES_256_CCM                      AES256-CCM
-DHE_RSA_WITH_AES_128_CCM                  DHE-RSA-AES128-CCM
-DHE_RSA_WITH_AES_256_CCM                  DHE-RSA-AES256-CCM
-RSA_WITH_AES_128_CCM_8                    AES128-CCM8
-RSA_WITH_AES_256_CCM_8                    AES256-CCM8
-DHE_RSA_WITH_AES_128_CCM_8                DHE-RSA-AES128-CCM8
-DHE_RSA_WITH_AES_256_CCM_8                DHE-RSA-AES256-CCM8
-ECDHE_ECDSA_WITH_AES_128_CCM              ECDHE-ECDSA-AES128-CCM
-ECDHE_ECDSA_WITH_AES_256_CCM              ECDHE-ECDSA-AES256-CCM
-ECDHE_ECDSA_WITH_AES_128_CCM_8            ECDHE-ECDSA-AES128-CCM8
-ECDHE_ECDSA_WITH_AES_256_CCM_8            ECDHE-ECDSA-AES256-CCM8</code></pre>
-
-<h2 id="ARIA-cipher-suites-from-RFC6209-extending-TLS-v1.2">ARIA cipher suites from RFC6209, extending TLS v1.2</h2>
-
-<p>Note: the CBC modes mentioned in this RFC are not supported.</p>
-
-<pre><code>TLS_RSA_WITH_ARIA_128_GCM_SHA256          ARIA128-GCM-SHA256
-TLS_RSA_WITH_ARIA_256_GCM_SHA384          ARIA256-GCM-SHA384
-TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256      DHE-RSA-ARIA128-GCM-SHA256
-TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384      DHE-RSA-ARIA256-GCM-SHA384
-TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256      DHE-DSS-ARIA128-GCM-SHA256
-TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384      DHE-DSS-ARIA256-GCM-SHA384
-TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256  ECDHE-ECDSA-ARIA128-GCM-SHA256
-TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384  ECDHE-ECDSA-ARIA256-GCM-SHA384
-TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256    ECDHE-ARIA128-GCM-SHA256
-TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384    ECDHE-ARIA256-GCM-SHA384
-TLS_PSK_WITH_ARIA_128_GCM_SHA256          PSK-ARIA128-GCM-SHA256
-TLS_PSK_WITH_ARIA_256_GCM_SHA384          PSK-ARIA256-GCM-SHA384
-TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256      DHE-PSK-ARIA128-GCM-SHA256
-TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384      DHE-PSK-ARIA256-GCM-SHA384
-TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256      RSA-PSK-ARIA128-GCM-SHA256
-TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384      RSA-PSK-ARIA256-GCM-SHA384</code></pre>
-
-<h2 id="Camellia-HMAC-Based-cipher-suites-from-RFC6367-extending-TLS-v1.2">Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2</h2>
-
-<pre><code>TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256
-TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384
-TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256   ECDHE-RSA-CAMELLIA128-SHA256
-TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384   ECDHE-RSA-CAMELLIA256-SHA384</code></pre>
-
-<h2 id="Pre-shared-keying-PSK-cipher-suites">Pre-shared keying (PSK) cipher suites</h2>
-
-<pre><code>PSK_WITH_NULL_SHA                         PSK-NULL-SHA
-DHE_PSK_WITH_NULL_SHA                     DHE-PSK-NULL-SHA
-RSA_PSK_WITH_NULL_SHA                     RSA-PSK-NULL-SHA
-
-PSK_WITH_RC4_128_SHA                      PSK-RC4-SHA
-PSK_WITH_3DES_EDE_CBC_SHA                 PSK-3DES-EDE-CBC-SHA
-PSK_WITH_AES_128_CBC_SHA                  PSK-AES128-CBC-SHA
-PSK_WITH_AES_256_CBC_SHA                  PSK-AES256-CBC-SHA
-
-DHE_PSK_WITH_RC4_128_SHA                  DHE-PSK-RC4-SHA
-DHE_PSK_WITH_3DES_EDE_CBC_SHA             DHE-PSK-3DES-EDE-CBC-SHA
-DHE_PSK_WITH_AES_128_CBC_SHA              DHE-PSK-AES128-CBC-SHA
-DHE_PSK_WITH_AES_256_CBC_SHA              DHE-PSK-AES256-CBC-SHA
-
-RSA_PSK_WITH_RC4_128_SHA                  RSA-PSK-RC4-SHA
-RSA_PSK_WITH_3DES_EDE_CBC_SHA             RSA-PSK-3DES-EDE-CBC-SHA
-RSA_PSK_WITH_AES_128_CBC_SHA              RSA-PSK-AES128-CBC-SHA
-RSA_PSK_WITH_AES_256_CBC_SHA              RSA-PSK-AES256-CBC-SHA
-
-PSK_WITH_AES_128_GCM_SHA256               PSK-AES128-GCM-SHA256
-PSK_WITH_AES_256_GCM_SHA384               PSK-AES256-GCM-SHA384
-DHE_PSK_WITH_AES_128_GCM_SHA256           DHE-PSK-AES128-GCM-SHA256
-DHE_PSK_WITH_AES_256_GCM_SHA384           DHE-PSK-AES256-GCM-SHA384
-RSA_PSK_WITH_AES_128_GCM_SHA256           RSA-PSK-AES128-GCM-SHA256
-RSA_PSK_WITH_AES_256_GCM_SHA384           RSA-PSK-AES256-GCM-SHA384
-
-PSK_WITH_AES_128_CBC_SHA256               PSK-AES128-CBC-SHA256
-PSK_WITH_AES_256_CBC_SHA384               PSK-AES256-CBC-SHA384
-PSK_WITH_NULL_SHA256                      PSK-NULL-SHA256
-PSK_WITH_NULL_SHA384                      PSK-NULL-SHA384
-DHE_PSK_WITH_AES_128_CBC_SHA256           DHE-PSK-AES128-CBC-SHA256
-DHE_PSK_WITH_AES_256_CBC_SHA384           DHE-PSK-AES256-CBC-SHA384
-DHE_PSK_WITH_NULL_SHA256                  DHE-PSK-NULL-SHA256
-DHE_PSK_WITH_NULL_SHA384                  DHE-PSK-NULL-SHA384
-RSA_PSK_WITH_AES_128_CBC_SHA256           RSA-PSK-AES128-CBC-SHA256
-RSA_PSK_WITH_AES_256_CBC_SHA384           RSA-PSK-AES256-CBC-SHA384
-RSA_PSK_WITH_NULL_SHA256                  RSA-PSK-NULL-SHA256
-RSA_PSK_WITH_NULL_SHA384                  RSA-PSK-NULL-SHA384
-PSK_WITH_AES_128_GCM_SHA256               PSK-AES128-GCM-SHA256
-PSK_WITH_AES_256_GCM_SHA384               PSK-AES256-GCM-SHA384
-
-ECDHE_PSK_WITH_RC4_128_SHA                ECDHE-PSK-RC4-SHA
-ECDHE_PSK_WITH_3DES_EDE_CBC_SHA           ECDHE-PSK-3DES-EDE-CBC-SHA
-ECDHE_PSK_WITH_AES_128_CBC_SHA            ECDHE-PSK-AES128-CBC-SHA
-ECDHE_PSK_WITH_AES_256_CBC_SHA            ECDHE-PSK-AES256-CBC-SHA
-ECDHE_PSK_WITH_AES_128_CBC_SHA256         ECDHE-PSK-AES128-CBC-SHA256
-ECDHE_PSK_WITH_AES_256_CBC_SHA384         ECDHE-PSK-AES256-CBC-SHA384
-ECDHE_PSK_WITH_NULL_SHA                   ECDHE-PSK-NULL-SHA
-ECDHE_PSK_WITH_NULL_SHA256                ECDHE-PSK-NULL-SHA256
-ECDHE_PSK_WITH_NULL_SHA384                ECDHE-PSK-NULL-SHA384
-
-PSK_WITH_CAMELLIA_128_CBC_SHA256          PSK-CAMELLIA128-SHA256
-PSK_WITH_CAMELLIA_256_CBC_SHA384          PSK-CAMELLIA256-SHA384
-
-DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256      DHE-PSK-CAMELLIA128-SHA256
-DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384      DHE-PSK-CAMELLIA256-SHA384
-
-RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256      RSA-PSK-CAMELLIA128-SHA256
-RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384      RSA-PSK-CAMELLIA256-SHA384
-
-ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256    ECDHE-PSK-CAMELLIA128-SHA256
-ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384    ECDHE-PSK-CAMELLIA256-SHA384
-
-PSK_WITH_AES_128_CCM                      PSK-AES128-CCM
-PSK_WITH_AES_256_CCM                      PSK-AES256-CCM
-DHE_PSK_WITH_AES_128_CCM                  DHE-PSK-AES128-CCM
-DHE_PSK_WITH_AES_256_CCM                  DHE-PSK-AES256-CCM
-PSK_WITH_AES_128_CCM_8                    PSK-AES128-CCM8
-PSK_WITH_AES_256_CCM_8                    PSK-AES256-CCM8
-DHE_PSK_WITH_AES_128_CCM_8                DHE-PSK-AES128-CCM8
-DHE_PSK_WITH_AES_256_CCM_8                DHE-PSK-AES256-CCM8</code></pre>
-
-<h2 id="ChaCha20-Poly1305-cipher-suites-extending-TLS-v1.2">ChaCha20-Poly1305 cipher suites, extending TLS v1.2</h2>
-
-<pre><code>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256      ECDHE-RSA-CHACHA20-POLY1305
-TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256    ECDHE-ECDSA-CHACHA20-POLY1305
-TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256        DHE-RSA-CHACHA20-POLY1305
-TLS_PSK_WITH_CHACHA20_POLY1305_SHA256            PSK-CHACHA20-POLY1305
-TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256      ECDHE-PSK-CHACHA20-POLY1305
-TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256        DHE-PSK-CHACHA20-POLY1305
-TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256        RSA-PSK-CHACHA20-POLY1305</code></pre>
-
-<h2 id="TLS-v1.3-cipher-suites">TLS v1.3 cipher suites</h2>
-
-<pre><code>TLS_AES_128_GCM_SHA256                     TLS_AES_128_GCM_SHA256
-TLS_AES_256_GCM_SHA384                     TLS_AES_256_GCM_SHA384
-TLS_CHACHA20_POLY1305_SHA256               TLS_CHACHA20_POLY1305_SHA256
-TLS_AES_128_CCM_SHA256                     TLS_AES_128_CCM_SHA256
-TLS_AES_128_CCM_8_SHA256                   TLS_AES_128_CCM_8_SHA256</code></pre>
-
-<h2 id="Older-names-used-by-OpenSSL">Older names used by OpenSSL</h2>
-
-<p>The following names are accepted by older releases:</p>
-
-<pre><code>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA    EDH-RSA-DES-CBC3-SHA (DHE-RSA-DES-CBC3-SHA)
-SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA    EDH-DSS-DES-CBC3-SHA (DHE-DSS-DES-CBC3-SHA)</code></pre>
-
-<h1 id="NOTES">NOTES</h1>
-
-<p>Some compiled versions of OpenSSL may not include all the ciphers listed here because some ciphers were excluded at compile time.</p>
-
-<h1 id="EXAMPLES">EXAMPLES</h1>
-
-<p>Verbose listing of all OpenSSL ciphers including NULL ciphers:</p>
-
-<pre><code>openssl ciphers -v &#39;ALL:eNULL&#39;</code></pre>
-
-<p>Include all ciphers except NULL and anonymous DH then sort by strength:</p>
-
-<pre><code>openssl ciphers -v &#39;ALL:!ADH:@STRENGTH&#39;</code></pre>
-
-<p>Include all ciphers except ones with no encryption (eNULL) or no authentication (aNULL):</p>
-
-<pre><code>openssl ciphers -v &#39;ALL:!aNULL&#39;</code></pre>
-
-<p>Include only 3DES ciphers and then place RSA ciphers last:</p>
-
-<pre><code>openssl ciphers -v &#39;3DES:+RSA&#39;</code></pre>
-
-<p>Include all RC4 ciphers but leave out those without authentication:</p>
-
-<pre><code>openssl ciphers -v &#39;RC4:!COMPLEMENTOFDEFAULT&#39;</code></pre>
-
-<p>Include all ciphers with RSA authentication but leave out ciphers without encryption.</p>
-
-<pre><code>openssl ciphers -v &#39;RSA:!COMPLEMENTOFALL&#39;</code></pre>
-
-<p>Set security level to 2 and display all ciphers consistent with level 2:</p>
-
-<pre><code>openssl ciphers -s -v &#39;ALL:@SECLEVEL=2&#39;</code></pre>
-
-<h1 id="SEE-ALSO">SEE ALSO</h1>
-
-<p><a href="../man1/s_client.html">s_client(1)</a>, <a href="../man1/s_server.html">s_server(1)</a>, <a href="../man7/ssl.html">ssl(7)</a></p>
-
-<h1 id="HISTORY">HISTORY</h1>
-
-<p>The <b>-V</b> option for the <b>ciphers</b> command was added in OpenSSL 1.0.0.</p>
-
-<p>The <b>-stdname</b> is only available if OpenSSL is built with tracing enabled (<b>enable-ssl-trace</b> argument to Configure) before OpenSSL 1.1.1.</p>
-
-<p>The <b>-convert</b> option was added in OpenSSL 1.1.1.</p>
-
-<h1 id="COPYRIGHT">COPYRIGHT</h1>
-
-<p>Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.</p>
-
-<p>Licensed under the OpenSSL license (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
-
-
-</body>
-
-</html>
-
-
--- a/deps/openssl/android/arm64-v8a/usr/local/share/doc/openssl/html/man1/cms.html
+++ b/deps/openssl/android/arm64-v8a/usr/local/share/doc/openssl/html/man1/cms.html
@ -1,638 +0,0 @@
-<?xml version="1.0" ?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-<title>cms</title>
-<meta http-equiv="content-type" content="text/html; charset=utf-8" />
-<link rev="made" href="mailto:root@localhost" />
-</head>
-
-<body>
-
-
-
-<ul id="index">
-  <li><a href="#NAME">NAME</a></li>
-  <li><a href="#SYNOPSIS">SYNOPSIS</a></li>
-  <li><a href="#DESCRIPTION">DESCRIPTION</a></li>
-  <li><a href="#OPTIONS">OPTIONS</a></li>
-  <li><a href="#NOTES">NOTES</a></li>
-  <li><a href="#EXIT-CODES">EXIT CODES</a></li>
-  <li><a href="#COMPATIBILITY-WITH-PKCS-7-format">COMPATIBILITY WITH PKCS#7 format.</a></li>
-  <li><a href="#EXAMPLES">EXAMPLES</a></li>
-  <li><a href="#BUGS">BUGS</a></li>
-  <li><a href="#HISTORY">HISTORY</a></li>
-  <li><a href="#COPYRIGHT">COPYRIGHT</a></li>
-</ul>
-
-<h1 id="NAME">NAME</h1>
-
-<p>openssl-cms, cms - CMS utility</p>
-
-<h1 id="SYNOPSIS">SYNOPSIS</h1>
-
-<p><b>openssl</b> <b>cms</b> [<b>-help</b>] [<b>-encrypt</b>] [<b>-decrypt</b>] [<b>-sign</b>] [<b>-verify</b>] [<b>-cmsout</b>] [<b>-resign</b>] [<b>-data_create</b>] [<b>-data_out</b>] [<b>-digest_create</b>] [<b>-digest_verify</b>] [<b>-compress</b>] [<b>-uncompress</b>] [<b>-EncryptedData_encrypt</b>] [<b>-sign_receipt</b>] [<b>-verify_receipt receipt</b>] [<b>-in filename</b>] [<b>-inform SMIME|PEM|DER</b>] [<b>-rctform SMIME|PEM|DER</b>] [<b>-out filename</b>] [<b>-outform SMIME|PEM|DER</b>] [<b>-stream -indef -noindef</b>] [<b>-noindef</b>] [<b>-content filename</b>] [<b>-text</b>] [<b>-noout</b>] [<b>-print</b>] [<b>-CAfile file</b>] [<b>-CApath dir</b>] [<b>-no-CAfile</b>] [<b>-no-CApath</b>] [<b>-attime timestamp</b>] [<b>-check_ss_sig</b>] [<b>-crl_check</b>] [<b>-crl_check_all</b>] [<b>-explicit_policy</b>] [<b>-extended_crl</b>] [<b>-ignore_critical</b>] [<b>-inhibit_any</b>] [<b>-inhibit_map</b>] [<b>-no_check_time</b>] [<b>-partial_chain</b>] [<b>-policy arg</b>] [<b>-policy_check</b>] [<b>-policy_print</b>] [<b>-purpose purpose</b>] [<b>-suiteB_128</b>] [<b>-suiteB_128_only</b>] [<b>-suiteB_192</b>] [<b>-trusted_first</b>] [<b>-no_alt_chains</b>] [<b>-use_deltas</b>] [<b>-auth_level num</b>] [<b>-verify_depth num</b>] [<b>-verify_email email</b>] [<b>-verify_hostname hostname</b>] [<b>-verify_ip ip</b>] [<b>-verify_name name</b>] [<b>-x509_strict</b>] [<b>-md digest</b>] [<b>-<i>cipher</i></b>] [<b>-nointern</b>] [<b>-noverify</b>] [<b>-nocerts</b>] [<b>-noattr</b>] [<b>-nosmimecap</b>] [<b>-binary</b>] [<b>-crlfeol</b>] [<b>-asciicrlf</b>] [<b>-nodetach</b>] [<b>-certfile file</b>] [<b>-certsout file</b>] [<b>-signer file</b>] [<b>-recip file</b>] [<b>-keyid</b>] [<b>-receipt_request_all</b>] [<b>-receipt_request_first</b>] [<b>-receipt_request_from emailaddress</b>] [<b>-receipt_request_to emailaddress</b>] [<b>-receipt_request_print</b>] [<b>-secretkey key</b>] [<b>-secretkeyid id</b>] [<b>-econtent_type type</b>] [<b>-inkey file</b>] [<b>-keyopt name:parameter</b>] [<b>-passin arg</b>] [<b>-rand file...</b>] [<b>-writerand file</b>] [<b>cert.pem...</b>] [<b>-to addr</b>] [<b>-from addr</b>] [<b>-subject subj</b>] [cert.pem]...</p>
-
-<h1 id="DESCRIPTION">DESCRIPTION</h1>
-
-<p>The <b>cms</b> command handles S/MIME v3.1 mail. It can encrypt, decrypt, sign and verify, compress and uncompress S/MIME messages.</p>
-
-<h1 id="OPTIONS">OPTIONS</h1>
-
-<p>There are fourteen operation options that set the type of operation to be performed. The meaning of the other options varies according to the operation type.</p>
-
-<dl>
-
-<dt id="help"><b>-help</b></dt>
-<dd>
-
-<p>Print out a usage message.</p>
-
-</dd>
-<dt id="encrypt"><b>-encrypt</b></dt>
-<dd>
-
-<p>Encrypt mail for the given recipient certificates. Input file is the message to be encrypted. The output file is the encrypted mail in MIME format. The actual CMS type is &lt;B&gt;EnvelopedData&lt;B&gt;.</p>
-
-<p>Note that no revocation check is done for the recipient cert, so if that key has been compromised, others may be able to decrypt the text.</p>
-
-</dd>
-<dt id="decrypt"><b>-decrypt</b></dt>
-<dd>
-
-<p>Decrypt mail using the supplied certificate and private key. Expects an encrypted mail message in MIME format for the input file. The decrypted mail is written to the output file.</p>
-
-</dd>
-<dt id="debug_decrypt"><b>-debug_decrypt</b></dt>
-<dd>
-
-<p>This option sets the <b>CMS_DEBUG_DECRYPT</b> flag. This option should be used with caution: see the notes section below.</p>
-
-</dd>
-<dt id="sign"><b>-sign</b></dt>
-<dd>
-
-<p>Sign mail using the supplied certificate and private key. Input file is the message to be signed. The signed message in MIME format is written to the output file.</p>
-
-</dd>
-<dt id="verify"><b>-verify</b></dt>
-<dd>
-
-<p>Verify signed mail. Expects a signed mail message on input and outputs the signed data. Both clear text and opaque signing is supported.</p>
-
-</dd>
-<dt id="cmsout"><b>-cmsout</b></dt>
-<dd>
-
-<p>Takes an input message and writes out a PEM encoded CMS structure.</p>
-
-</dd>
-<dt id="resign"><b>-resign</b></dt>
-<dd>
-
-<p>Resign a message: take an existing message and one or more new signers.</p>
-
-</dd>
-<dt id="data_create"><b>-data_create</b></dt>
-<dd>
-
-<p>Create a CMS <b>Data</b> type.</p>
-
-</dd>
-<dt id="data_out"><b>-data_out</b></dt>
-<dd>
-
-<p><b>Data</b> type and output the content.</p>
-
-</dd>
-<dt id="digest_create"><b>-digest_create</b></dt>
-<dd>
-
-<p>Create a CMS <b>DigestedData</b> type.</p>
-
-</dd>
-<dt id="digest_verify"><b>-digest_verify</b></dt>
-<dd>
-
-<p>Verify a CMS <b>DigestedData</b> type and output the content.</p>
-
-</dd>
-<dt id="compress"><b>-compress</b></dt>
-<dd>
-
-<p>Create a CMS <b>CompressedData</b> type. OpenSSL must be compiled with <b>zlib</b> support for this option to work, otherwise it will output an error.</p>
-
-</dd>
-<dt id="uncompress"><b>-uncompress</b></dt>
-<dd>
-
-<p>Uncompress a CMS <b>CompressedData</b> type and output the content. OpenSSL must be compiled with <b>zlib</b> support for this option to work, otherwise it will output an error.</p>
-
-</dd>
-<dt id="EncryptedData_encrypt"><b>-EncryptedData_encrypt</b></dt>
-<dd>
-
-<p>Encrypt content using supplied symmetric key and algorithm using a CMS <b>EncryptedData</b> type and output the content.</p>
-
-</dd>
-<dt id="sign_receipt"><b>-sign_receipt</b></dt>
-<dd>
-
-<p>Generate and output a signed receipt for the supplied message. The input message <b>must</b> contain a signed receipt request. Functionality is otherwise similar to the <b>-sign</b> operation.</p>
-
-</dd>
-<dt id="verify_receipt-receipt"><b>-verify_receipt receipt</b></dt>
-<dd>
-
-<p>Verify a signed receipt in filename <b>receipt</b>. The input message <b>must</b> contain the original receipt request. Functionality is otherwise similar to the <b>-verify</b> operation.</p>
-
-</dd>
-<dt id="in-filename"><b>-in filename</b></dt>
-<dd>
-
-<p>The input message to be encrypted or signed or the message to be decrypted or verified.</p>
-
-</dd>
-<dt id="inform-SMIME-PEM-DER"><b>-inform SMIME|PEM|DER</b></dt>
-<dd>
-
-<p>This specifies the input format for the CMS structure. The default is <b>SMIME</b> which reads an S/MIME format message. <b>PEM</b> and <b>DER</b> format change this to expect PEM and DER format CMS structures instead. This currently only affects the input format of the CMS structure, if no CMS structure is being input (for example with <b>-encrypt</b> or <b>-sign</b>) this option has no effect.</p>
-
-</dd>
-<dt id="rctform-SMIME-PEM-DER"><b>-rctform SMIME|PEM|DER</b></dt>
-<dd>
-
-<p>Specify the format for a signed receipt for use with the <b>-receipt_verify</b> operation.</p>
-
-</dd>
-<dt id="out-filename"><b>-out filename</b></dt>
-<dd>
-
-<p>The message text that has been decrypted or verified or the output MIME format message that has been signed or verified.</p>
-
-</dd>
-<dt id="outform-SMIME-PEM-DER"><b>-outform SMIME|PEM|DER</b></dt>
-<dd>
-
-<p>This specifies the output format for the CMS structure. The default is <b>SMIME</b> which writes an S/MIME format message. <b>PEM</b> and <b>DER</b> format change this to write PEM and DER format CMS structures instead. This currently only affects the output format of the CMS structure, if no CMS structure is being output (for example with <b>-verify</b> or <b>-decrypt</b>) this option has no effect.</p>
-
-</dd>
-<dt id="stream--indef--noindef"><b>-stream -indef -noindef</b></dt>
-<dd>
-
-<p>The <b>-stream</b> and <b>-indef</b> options are equivalent and enable streaming I/O for encoding operations. This permits single pass processing of data without the need to hold the entire contents in memory, potentially supporting very large files. Streaming is automatically set for S/MIME signing with detached data if the output format is <b>SMIME</b> it is currently off by default for all other operations.</p>
-
-</dd>
-<dt id="noindef"><b>-noindef</b></dt>
-<dd>
-
-<p>Disable streaming I/O where it would produce and indefinite length constructed encoding. This option currently has no effect. In future streaming will be enabled by default on all relevant operations and this option will disable it.</p>
-
-</dd>
-<dt id="content-filename"><b>-content filename</b></dt>
-<dd>
-
-<p>This specifies a file containing the detached content, this is only useful with the <b>-verify</b> command. This is only usable if the CMS structure is using the detached signature form where the content is not included. This option will override any content if the input format is S/MIME and it uses the multipart/signed MIME content type.</p>
-
-</dd>
-<dt id="text"><b>-text</b></dt>
-<dd>
-
-<p>This option adds plain text (text/plain) MIME headers to the supplied message if encrypting or signing. If decrypting or verifying it strips off text headers: if the decrypted or verified message is not of MIME type text/plain then an error occurs.</p>
-
-</dd>
-<dt id="noout"><b>-noout</b></dt>
-<dd>
-
-<p>For the <b>-cmsout</b> operation do not output the parsed CMS structure. This is useful when combined with the <b>-print</b> option or if the syntax of the CMS structure is being checked.</p>
-
-</dd>
-<dt id="print"><b>-print</b></dt>
-<dd>
-
-<p>For the <b>-cmsout</b> operation print out all fields of the CMS structure. This is mainly useful for testing purposes.</p>
-
-</dd>
-<dt id="CAfile-file"><b>-CAfile file</b></dt>
-<dd>
-
-<p>A file containing trusted CA certificates, only used with <b>-verify</b>.</p>
-
-</dd>
-<dt id="CApath-dir"><b>-CApath dir</b></dt>
-<dd>
-
-<p>A directory containing trusted CA certificates, only used with <b>-verify</b>. This directory must be a standard certificate directory: that is a hash of each subject name (using <b>x509 -hash</b>) should be linked to each certificate.</p>
-
-</dd>
-<dt id="no-CAfile"><b>-no-CAfile</b></dt>
-<dd>
-
-<p>Do not load the trusted CA certificates from the default file location</p>
-
-</dd>
-<dt id="no-CApath"><b>-no-CApath</b></dt>
-<dd>
-
-<p>Do not load the trusted CA certificates from the default directory location</p>
-
-</dd>
-<dt id="md-digest"><b>-md digest</b></dt>
-<dd>
-
-<p>Digest algorithm to use when signing or resigning. If not present then the default digest algorithm for the signing key will be used (usually SHA1).</p>
-
-</dd>
-<dt id="cipher"><b>-<i>cipher</i></b></dt>
-<dd>
-
-<p>The encryption algorithm to use. For example triple DES (168 bits) - <b>-des3</b> or 256 bit AES - <b>-aes256</b>. Any standard algorithm name (as used by the EVP_get_cipherbyname() function) can also be used preceded by a dash, for example <b>-aes-128-cbc</b>. See <a href="../man1/enc.html">enc(1)</a> for a list of ciphers supported by your version of OpenSSL.</p>
-
-<p>If not specified triple DES is used. Only used with <b>-encrypt</b> and <b>-EncryptedData_create</b> commands.</p>
-
-</dd>
-<dt id="nointern"><b>-nointern</b></dt>
-<dd>
-
-<p>When verifying a message normally certificates (if any) included in the message are searched for the signing certificate. With this option only the certificates specified in the <b>-certfile</b> option are used. The supplied certificates can still be used as untrusted CAs however.</p>
-
-</dd>
-<dt id="noverify"><b>-noverify</b></dt>
-<dd>
-
-<p>Do not verify the signers certificate of a signed message.</p>
-
-</dd>
-<dt id="nocerts"><b>-nocerts</b></dt>
-<dd>
-
-<p>When signing a message the signer&#39;s certificate is normally included with this option it is excluded. This will reduce the size of the signed message but the verifier must have a copy of the signers certificate available locally (passed using the <b>-certfile</b> option for example).</p>
-
-</dd>
-<dt id="noattr"><b>-noattr</b></dt>
-<dd>
-
-<p>Normally when a message is signed a set of attributes are included which include the signing time and supported symmetric algorithms. With this option they are not included.</p>
-
-</dd>
-<dt id="nosmimecap"><b>-nosmimecap</b></dt>
-<dd>
-
-<p>Exclude the list of supported algorithms from signed attributes, other options such as signing time and content type are still included.</p>
-
-</dd>
-<dt id="binary"><b>-binary</b></dt>
-<dd>
-
-<p>Normally the input message is converted to &quot;canonical&quot; format which is effectively using CR and LF as end of line: as required by the S/MIME specification. When this option is present no translation occurs. This is useful when handling binary data which may not be in MIME format.</p>
-
-</dd>
-<dt id="crlfeol"><b>-crlfeol</b></dt>
-<dd>
-
-<p>Normally the output file uses a single <b>LF</b> as end of line. When this option is present <b>CRLF</b> is used instead.</p>
-
-</dd>
-<dt id="asciicrlf"><b>-asciicrlf</b></dt>
-<dd>
-
-<p>When signing use ASCII CRLF format canonicalisation. This strips trailing whitespace from all lines, deletes trailing blank lines at EOF and sets the encapsulated content type. This option is normally used with detached content and an output signature format of DER. This option is not normally needed when verifying as it is enabled automatically if the encapsulated content format is detected.</p>
-
-</dd>
-<dt id="nodetach"><b>-nodetach</b></dt>
-<dd>
-
-<p>When signing a message use opaque signing: this form is more resistant to translation by mail relays but it cannot be read by mail agents that do not support S/MIME. Without this option cleartext signing with the MIME type multipart/signed is used.</p>
-
-</dd>
-<dt id="certfile-file"><b>-certfile file</b></dt>
-<dd>
-
-<p>Allows additional certificates to be specified. When signing these will be included with the message. When verifying these will be searched for the signers certificates. The certificates should be in PEM format.</p>
-
-</dd>
-<dt id="certsout-file"><b>-certsout file</b></dt>
-<dd>
-
-<p>Any certificates contained in the message are written to <b>file</b>.</p>
-
-</dd>
-<dt id="signer-file"><b>-signer file</b></dt>
-<dd>
-
-<p>A signing certificate when signing or resigning a message, this option can be used multiple times if more than one signer is required. If a message is being verified then the signers certificates will be written to this file if the verification was successful.</p>
-
-</dd>
-<dt id="recip-file"><b>-recip file</b></dt>
-<dd>
-
-<p>When decrypting a message this specifies the recipients certificate. The certificate must match one of the recipients of the message or an error occurs.</p>
-
-<p>When encrypting a message this option may be used multiple times to specify each recipient. This form <b>must</b> be used if customised parameters are required (for example to specify RSA-OAEP).</p>
-
-<p>Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this option.</p>
-
-</dd>
-<dt id="keyid"><b>-keyid</b></dt>
-<dd>
-
-<p>Use subject key identifier to identify certificates instead of issuer name and serial number. The supplied certificate <b>must</b> include a subject key identifier extension. Supported by <b>-sign</b> and <b>-encrypt</b> options.</p>
-
-</dd>
-<dt id="receipt_request_all--receipt_request_first"><b>-receipt_request_all</b>, <b>-receipt_request_first</b></dt>
-<dd>
-
-<p>For <b>-sign</b> option include a signed receipt request. Indicate requests should be provided by all recipient or first tier recipients (those mailed directly and not from a mailing list). Ignored it <b>-receipt_request_from</b> is included.</p>
-
-</dd>
-<dt id="receipt_request_from-emailaddress"><b>-receipt_request_from emailaddress</b></dt>
-<dd>
-
-<p>For <b>-sign</b> option include a signed receipt request. Add an explicit email address where receipts should be supplied.</p>
-
-</dd>
-<dt id="receipt_request_to-emailaddress"><b>-receipt_request_to emailaddress</b></dt>
-<dd>
-
-<p>Add an explicit email address where signed receipts should be sent to. This option <b>must</b> but supplied if a signed receipt it requested.</p>
-
-</dd>
-<dt id="receipt_request_print"><b>-receipt_request_print</b></dt>
-<dd>
-
-<p>For the <b>-verify</b> operation print out the contents of any signed receipt requests.</p>
-
-</dd>
-<dt id="secretkey-key"><b>-secretkey key</b></dt>
-<dd>
-
-<p>Specify symmetric key to use. The key must be supplied in hex format and be consistent with the algorithm used. Supported by the <b>-EncryptedData_encrypt</b> <b>-EncryptedData_decrypt</b>, <b>-encrypt</b> and <b>-decrypt</b> options. When used with <b>-encrypt</b> or <b>-decrypt</b> the supplied key is used to wrap or unwrap the content encryption key using an AES key in the <b>KEKRecipientInfo</b> type.</p>
-
-</dd>
-<dt id="secretkeyid-id"><b>-secretkeyid id</b></dt>
-<dd>
-
-<p>The key identifier for the supplied symmetric key for <b>KEKRecipientInfo</b> type. This option <b>must</b> be present if the <b>-secretkey</b> option is used with <b>-encrypt</b>. With <b>-decrypt</b> operations the <b>id</b> is used to locate the relevant key if it is not supplied then an attempt is used to decrypt any <b>KEKRecipientInfo</b> structures.</p>
-
-</dd>
-<dt id="econtent_type-type"><b>-econtent_type type</b></dt>
-<dd>
-
-<p>Set the encapsulated content type to <b>type</b> if not supplied the <b>Data</b> type is used. The <b>type</b> argument can be any valid OID name in either text or numerical format.</p>
-
-</dd>
-<dt id="inkey-file"><b>-inkey file</b></dt>
-<dd>
-
-<p>The private key to use when signing or decrypting. This must match the corresponding certificate. If this option is not specified then the private key must be included in the certificate file specified with the <b>-recip</b> or <b>-signer</b> file. When signing this option can be used multiple times to specify successive keys.</p>
-
-</dd>
-<dt id="keyopt-name:opt"><b>-keyopt name:opt</b></dt>
-<dd>
-
-<p>For signing and encryption this option can be used multiple times to set customised parameters for the preceding key or certificate. It can currently be used to set RSA-PSS for signing, RSA-OAEP for encryption or to modify default parameters for ECDH.</p>
-
-</dd>
-<dt id="passin-arg"><b>-passin arg</b></dt>
-<dd>
-
-<p>The private key password source. For more information about the format of <b>arg</b> see <a href="../man1/openssl.html">&quot;Pass Phrase Options&quot; in openssl(1)</a>.</p>
-
-</dd>
-<dt id="rand-file"><b>-rand file...</b></dt>
-<dd>
-
-<p>A file or files containing random data used to seed the random number generator. Multiple files can be specified separated by an OS-dependent character. The separator is <b>;</b> for MS-Windows, <b>,</b> for OpenVMS, and <b>:</b> for all others.</p>
-
-</dd>
-<dt id="writerand-file">[<b>-writerand file</b>]</dt>
-<dd>
-
-<p>Writes random data to the specified <i>file</i> upon exit. This can be used with a subsequent <b>-rand</b> flag.</p>
-
-</dd>
-<dt id="cert.pem"><b>cert.pem...</b></dt>
-<dd>
-
-<p>One or more certificates of message recipients: used when encrypting a message.</p>
-
-</dd>
-<dt id="to--from--subject"><b>-to, -from, -subject</b></dt>
-<dd>
-
-<p>The relevant mail headers. These are included outside the signed portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate&#39;s email address matches that specified in the From: address.</p>
-
-</dd>
-<dt id="attime--check_ss_sig--crl_check--crl_check_all--explicit_policy--extended_crl--ignore_critical--inhibit_any--inhibit_map--no_alt_chains--no_check_time--partial_chain--policy--policy_check--policy_print--purpose--suiteB_128--suiteB_128_only--suiteB_192--trusted_first--use_deltas--auth_level--verify_depth--verify_email--verify_hostname--verify_ip--verify_name--x509_strict"><b>-attime</b>, <b>-check_ss_sig</b>, <b>-crl_check</b>, <b>-crl_check_all</b>, <b>-explicit_policy</b>, <b>-extended_crl</b>, <b>-ignore_critical</b>, <b>-inhibit_any</b>, <b>-inhibit_map</b>, <b>-no_alt_chains</b>, <b>-no_check_time</b>, <b>-partial_chain</b>, <b>-policy</b>, <b>-policy_check</b>, <b>-policy_print</b>, <b>-purpose</b>, <b>-suiteB_128</b>, <b>-suiteB_128_only</b>, <b>-suiteB_192</b>, <b>-trusted_first</b>, <b>-use_deltas</b>, <b>-auth_level</b>, <b>-verify_depth</b>, <b>-verify_email</b>, <b>-verify_hostname</b>, <b>-verify_ip</b>, <b>-verify_name</b>, <b>-x509_strict</b></dt>
-<dd>
-
-<p>Set various certificate chain validation options. See the <a href="../man1/verify.html">verify(1)</a> manual page for details.</p>
-
-</dd>
-</dl>
-
-<h1 id="NOTES">NOTES</h1>
-
-<p>The MIME message must be sent without any blank lines between the headers and the output. Some mail programs will automatically add a blank line. Piping the mail directly to sendmail is one way to achieve the correct format.</p>
-
-<p>The supplied message to be signed or encrypted must include the necessary MIME headers or many S/MIME clients won&#39;t display it properly (if at all). You can use the <b>-text</b> option to automatically add plain text headers.</p>
-
-<p>A &quot;signed and encrypted&quot; message is one where a signed message is then encrypted. This can be produced by encrypting an already signed message: see the examples section.</p>
-
-<p>This version of the program only allows one signer per message but it will verify multiple signers on received messages. Some S/MIME clients choke if a message contains multiple signers. It is possible to sign messages &quot;in parallel&quot; by signing an already signed message.</p>
-
-<p>The options <b>-encrypt</b> and <b>-decrypt</b> reflect common usage in S/MIME clients. Strictly speaking these process CMS enveloped data: CMS encrypted data is used for other purposes.</p>
-
-<p>The <b>-resign</b> option uses an existing message digest when adding a new signer. This means that attributes must be present in at least one existing signer using the same message digest or this operation will fail.</p>
-
-<p>The <b>-stream</b> and <b>-indef</b> options enable streaming I/O support. As a result the encoding is BER using indefinite length constructed encoding and no longer DER. Streaming is supported for the <b>-encrypt</b> operation and the <b>-sign</b> operation if the content is not detached.</p>
-
-<p>Streaming is always used for the <b>-sign</b> operation with detached data but since the content is no longer part of the CMS structure the encoding remains DER.</p>
-
-<p>If the <b>-decrypt</b> option is used without a recipient certificate then an attempt is made to locate the recipient by trying each potential recipient in turn using the supplied private key. To thwart the MMA attack (Bleichenbacher&#39;s attack on PKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or not and if no recipients match the message is &quot;decrypted&quot; using a random key which will typically output garbage. The <b>-debug_decrypt</b> option can be used to disable the MMA attack protection and return an error if no recipient can be found: this option should be used with caution. For a fuller description see <a href="../man3/CMS_decrypt.html">CMS_decrypt(3)</a>).</p>
-
-<h1 id="EXIT-CODES">EXIT CODES</h1>
-
-<dl>
-
-<dt id="pod0">0</dt>
-<dd>
-
-<p>The operation was completely successfully.</p>
-
-</dd>
-<dt id="pod1">1</dt>
-<dd>
-
-<p>An error occurred parsing the command options.</p>
-
-</dd>
-<dt id="pod2">2</dt>
-<dd>
-
-<p>One of the input files could not be read.</p>
-
-</dd>
-<dt id="pod3">3</dt>
-<dd>
-
-<p>An error occurred creating the CMS file or when reading the MIME message.</p>
-
-</dd>
-<dt id="pod4">4</dt>
-<dd>
-
-<p>An error occurred decrypting or verifying the message.</p>
-
-</dd>
-<dt id="pod5">5</dt>
-<dd>
-
-<p>The message was verified correctly but an error occurred writing out the signers certificates.</p>
-
-</dd>
-</dl>
-
-<h1 id="COMPATIBILITY-WITH-PKCS-7-format">COMPATIBILITY WITH PKCS#7 format.</h1>
-
-<p>The <b>smime</b> utility can only process the older <b>PKCS#7</b> format. The <b>cms</b> utility supports Cryptographic Message Syntax format. Use of some features will result in messages which cannot be processed by applications which only support the older format. These are detailed below.</p>
-
-<p>The use of the <b>-keyid</b> option with <b>-sign</b> or <b>-encrypt</b>.</p>
-
-<p>The <b>-outform PEM</b> option uses different headers.</p>
-
-<p>The <b>-compress</b> option.</p>
-
-<p>The <b>-secretkey</b> option when used with <b>-encrypt</b>.</p>
-
-<p>The use of PSS with <b>-sign</b>.</p>
-
-<p>The use of OAEP or non-RSA keys with <b>-encrypt</b>.</p>
-
-<p>Additionally the <b>-EncryptedData_create</b> and <b>-data_create</b> type cannot be processed by the older <b>smime</b> command.</p>
-
-<h1 id="EXAMPLES">EXAMPLES</h1>
-
-<p>Create a cleartext signed message:</p>
-
-<pre><code>openssl cms -sign -in message.txt -text -out mail.msg \
-       -signer mycert.pem</code></pre>
-
-<p>Create an opaque signed message</p>
-
-<pre><code>openssl cms -sign -in message.txt -text -out mail.msg -nodetach \
-       -signer mycert.pem</code></pre>
-
-<p>Create a signed message, include some additional certificates and read the private key from another file:</p>
-
-<pre><code>openssl cms -sign -in in.txt -text -out mail.msg \
-       -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem</code></pre>
-
-<p>Create a signed message with two signers, use key identifier:</p>
-
-<pre><code>openssl cms -sign -in message.txt -text -out mail.msg \
-       -signer mycert.pem -signer othercert.pem -keyid</code></pre>
-
-<p>Send a signed message under Unix directly to sendmail, including headers:</p>
-
-<pre><code>openssl cms -sign -in in.txt -text -signer mycert.pem \
-       -from steve@openssl.org -to someone@somewhere \
-       -subject &quot;Signed message&quot; | sendmail someone@somewhere</code></pre>
-
-<p>Verify a message and extract the signer&#39;s certificate if successful:</p>
-
-<pre><code>openssl cms -verify -in mail.msg -signer user.pem -out signedtext.txt</code></pre>
-
-<p>Send encrypted mail using triple DES:</p>
-
-<pre><code>openssl cms -encrypt -in in.txt -from steve@openssl.org \
-       -to someone@somewhere -subject &quot;Encrypted message&quot; \
-       -des3 user.pem -out mail.msg</code></pre>
-
-<p>Sign and encrypt mail:</p>
-
-<pre><code>openssl cms -sign -in ml.txt -signer my.pem -text \
-       | openssl cms -encrypt -out mail.msg \
-       -from steve@openssl.org -to someone@somewhere \
-       -subject &quot;Signed and Encrypted message&quot; -des3 user.pem</code></pre>
-
-<p>Note: the encryption command does not include the <b>-text</b> option because the message being encrypted already has MIME headers.</p>
-
-<p>Decrypt mail:</p>
-
-<pre><code>openssl cms -decrypt -in mail.msg -recip mycert.pem -inkey key.pem</code></pre>
-
-<p>The output from Netscape form signing is a PKCS#7 structure with the detached signature format. You can use this program to verify the signature by line wrapping the base64 encoded structure and surrounding it with:</p>
-
-<pre><code>-----BEGIN PKCS7-----
-----END PKCS7-----</code></pre>
-
-<p>and using the command,</p>
-
-<pre><code>openssl cms -verify -inform PEM -in signature.pem -content content.txt</code></pre>
-
-<p>alternatively you can base64 decode the signature and use</p>
-
-<pre><code>openssl cms -verify -inform DER -in signature.der -content content.txt</code></pre>
-
-<p>Create an encrypted message using 128 bit Camellia:</p>
-
-<pre><code>openssl cms -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem</code></pre>
-
-<p>Add a signer to an existing message:</p>
-
-<pre><code>openssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg</code></pre>
-
-<p>Sign mail using RSA-PSS:</p>
-
-<pre><code>openssl cms -sign -in message.txt -text -out mail.msg \
-       -signer mycert.pem -keyopt rsa_padding_mode:pss</code></pre>
-
-<p>Create encrypted mail using RSA-OAEP:</p>
-
-<pre><code>openssl cms -encrypt -in plain.txt -out mail.msg \
-       -recip cert.pem -keyopt rsa_padding_mode:oaep</code></pre>
-
-<p>Use SHA256 KDF with an ECDH certificate:</p>
-
-<pre><code>openssl cms -encrypt -in plain.txt -out mail.msg \
-       -recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256</code></pre>
-
-<h1 id="BUGS">BUGS</h1>
-
-<p>The MIME parser isn&#39;t very clever: it seems to handle most messages that I&#39;ve thrown at it but it may choke on others.</p>
-
-<p>The code currently will only write out the signer&#39;s certificate to a file: if the signer has a separate encryption certificate this must be manually extracted. There should be some heuristic that determines the correct encryption certificate.</p>
-
-<p>Ideally a database should be maintained of a certificates for each email address.</p>
-
-<p>The code doesn&#39;t currently take note of the permitted symmetric encryption algorithms as supplied in the SMIMECapabilities signed attribute. this means the user has to manually include the correct encryption algorithm. It should store the list of permitted ciphers in a database and only use those.</p>
-
-<p>No revocation checking is done on the signer&#39;s certificate.</p>
-
-<p>The <b>-binary</b> option does not work correctly when processing text input which (contrary to the S/MIME specification) uses LF rather than CRLF line endings.</p>
-
-<h1 id="HISTORY">HISTORY</h1>
-
-<p>The use of multiple <b>-signer</b> options and the <b>-resign</b> command were first added in OpenSSL 1.0.0.</p>
-
-<p>The <b>keyopt</b> option was added in OpenSSL 1.0.2.</p>
-
-<p>Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2.</p>
-
-<p>The use of non-RSA keys with <b>-encrypt</b> and <b>-decrypt</b> was added in OpenSSL 1.0.2.</p>
-
-<p>The -no_alt_chains option was added in OpenSSL 1.0.2b.</p>
-
-<h1 id="COPYRIGHT">COPYRIGHT</h1>
-
-<p>Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved.</p>
-
-<p>Licensed under the OpenSSL license (the &quot;License&quot;). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at <a href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</a>.</p>
-
-
-</body>
-
-</html>
-
-
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Cory McWilliams	af13bfc920	Let's release 0.0.11. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4478 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-27 22:26:19 +00:00
Cory McWilliams	e24fd92f85	OpenSSL 1.1.1w for Android. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4477 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-27 22:23:52 +00:00
Cory McWilliams	7e27cefe6a	This made 32-bit happier. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4476 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-25 16:43:56 +00:00
Cory McWilliams	450cf6424e	Oops! Passwords go in password fields. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4475 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-23 21:29:01 +00:00
Cory McWilliams	54898d3dbb	More thorough checkpoint. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4474 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-23 18:49:24 +00:00
Cory McWilliams	dd851a2b25	Let's try some wal truncating. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4473 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-23 18:41:58 +00:00
Cory McWilliams	4c6b44eb30	Implemented password changing. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4472 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-22 22:59:26 +00:00
Cory McWilliams	74a3efe78d	Let's restrict valid usernames. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4471 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-22 22:41:47 +00:00
Cory McWilliams	51301fc49e	More room robustifying? git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4470 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-22 22:20:25 +00:00
Cory McWilliams	02dd8c3dd0	Try to isolate my instability with go-ssb-room. I guess I did? Haven't found a resolution. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4469 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-21 23:38:55 +00:00
Cory McWilliams	26a778c3b2	Might as well make the case consistent. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4468 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-21 00:40:47 +00:00
Cory McWilliams	9fecbd97e8	Autocomplete blob refs. That's too cool. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4467 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-21 00:26:29 +00:00
Cory McWilliams	e1383e3903	Move the HTTP timeout into C where we can manage it better as writes are active. Fixes an accidental 45 second GET timeout from httpd.js. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4466 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-20 23:30:29 +00:00
Cory McWilliams	47532b8512	Snapping to grid. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4465 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-17 20:52:12 +00:00
Cory McWilliams	3c4959433a	Proof of concept of building emojis. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4464 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-17 13:22:29 +00:00
Cory McWilliams	e921b4a86a	Actually serialize doubles. Yikes. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4463 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-17 00:13:31 +00:00
Cory McWilliams	b23b0ca239	Some include-what-you-use progress. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4462 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-13 23:39:52 +00:00
Cory McWilliams	191b45f054	Better map link. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4461 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-13 23:01:15 +00:00
Cory McWilliams	15d0383349	api docs work in progress. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4460 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-13 23:00:47 +00:00
Cory McWilliams	d2485583fd	sqlite-amalgamation-3430100.zip git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4459 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-13 21:19:37 +00:00
Cory McWilliams	2b94704916	If a user visiting /login is already authenticated, bounce them away. This is me trying to avoid hassle for people who bookmarked the login page. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4458 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-11 16:52:17 +00:00
Cory McWilliams	85ac6c215a	Populate host and port for incoming SSB connections, too. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4457 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-09 14:45:55 +00:00
Cory McWilliams	e83e665db9	Try harder to not reply to errors. Dunno. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4456 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-09 14:28:06 +00:00
Cory McWilliams	645aafef16	zlib 1.3. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4455 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-07 22:44:49 +00:00
Cory McWilliams	152c893a6f	Fix wrong argument count on ssb.blobStore. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4454 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-07 22:44:18 +00:00
Cory McWilliams	7c130dda56	Beef up the API docs. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4453 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-07 00:40:43 +00:00
Cory McWilliams	2d82dad806	Restore the connections tab. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4452 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-06 22:48:06 +00:00
Cory McWilliams	e8ac5b759d	Fix emoji search case again, and render issues. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4451 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-06 22:35:20 +00:00
Cory McWilliams	4833d18968	Fix android app version. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4450 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-05 16:21:28 +00:00
Cory McWilliams	6eafded1f6	Added the memory sparkline and tried to CSS them differently. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4449 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-04 20:13:17 +00:00
Cory McWilliams	7b440b720e	Set issues app icon. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4448 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-04 19:47:07 +00:00
Cory McWilliams	e20ba7384f	Put the latlng popup on the contextmenu event. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4447 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-04 19:26:48 +00:00
Cory McWilliams	45231c6ede	Add some GPS game tabs. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4446 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-04 19:21:00 +00:00
Cory McWilliams	35475defb5	Faster activity load through concurrency. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4445 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-04 18:01:06 +00:00
Cory McWilliams	8741841f27	Add the missing leaflet .js.map file. Link to Google Maps from clicked map locations. Allow poup from the sandbox to support target="_blank" links, though that does not work here. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4444 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-04 17:44:05 +00:00
Cory McWilliams	5282d19b55	Structure replies to issues as replies so that their posts don't appear so unusual. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4443 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-04 17:12:32 +00:00
Cory McWilliams	d9782aa0fb	Automatically reply encrypted to the same recipients. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4442 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-02 13:37:50 +00:00
Cory McWilliams	9751facfb4	Add recps field to encrypted messages. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4441 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-02 13:25:31 +00:00
Cory McWilliams	e0110203e7	More reliable addition of encrypted messages. There's something I'm not understanding with lit. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4440 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-02 02:06:29 +00:00
Cory McWilliams	088b44cc2c	Fix the admin app. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4439 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-01 16:26:24 +00:00
Cory McWilliams	8f63bcbfbf	Sending encrypted messages. Revealing some weird behavior, but it's working. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4438 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-09-01 01:34:01 +00:00
Cory McWilliams	c8029388c9	Blockquote and connections tab tweaks. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4437 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-08-31 16:46:40 +00:00
Cory McWilliams	d9c4d847a1	Fix Strava account linking. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4436 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-08-31 16:31:24 +00:00
Cory McWilliams	df9d9425ec	Add issues app. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4435 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-08-31 00:12:18 +00:00
Cory McWilliams	90bb3c684e	OK, no -fanalyzer on raspi, yet. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4434 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-08-30 23:58:01 +00:00
Cory McWilliams	9c81b6de8a	This should have gone away in a previous change. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4433 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-08-30 23:50:28 +00:00
Cory McWilliams	6383498041	Oops. Makefile debugging. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4432 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-08-30 21:38:59 +00:00
Cory McWilliams	daeb88785d	Let's try -fanalyzer. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4431 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-08-25 20:57:55 +00:00
Cory McWilliams	dcea08f73b	Enforce a timeout on user SQL queries. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4430 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-08-25 20:23:40 +00:00
Cory McWilliams	b252b921f8	Call out restricted DB access when we acquire the reader. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4429 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-08-25 19:41:54 +00:00
Cory McWilliams	172826bf13	Use the right default port now that I'm not always running two different clients side-by-side. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4428 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-08-25 18:51:14 +00:00
Cory McWilliams	060f1980f5	A little more paranoia around the file watcher. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4427 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-08-25 18:27:19 +00:00
Cory McWilliams	e223d35252	Make the connections tab know more about tunnels and such. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4426 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-08-25 18:22:09 +00:00
Cory McWilliams	99dba1a4c6	svn didn't notice that these files changed. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4425 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-08-25 17:19:59 +00:00
Cory McWilliams	b52026c81f	Give quoted text a bar on the side, like I'm used to. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4424 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-08-25 17:06:32 +00:00
Cory McWilliams	47b8c86426	sqlite-amalgamation-3430000.zip git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4423 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-08-25 16:20:32 +00:00
Cory McWilliams	2e55c68648	Get ready for 0.0.11. git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4422 ed5197a5-7fde-0310-b194-c3ffbd925b24	2023-08-23 22:40:00 +00:00